Volexity observed Russian threat actor UTA0355 conducting targeted OAuth and Device Code phishing campaigns that impersonate international events to trick users into granting access to Microsoft accounts. These operations used polished fake websites, rapport-building via email and messaging apps, compromised accounts, and proxy infrastructure to access Microsoft 365 data and expand targeting. #UTA0355 #Microsoft365
Keypoints
- Russian threat actor tracked as UTA0355 is abusing Microsoft 365 OAuth and Device Code authentication workflows to phish credentials and obtain access to user accounts.
- Campaigns impersonate legitimate international events (Belgrade Security Conference, Brussels Indo‑Pacific Dialogue, World Nuclear Exhibition) using attacker-controlled domains and professional fake registration sites.
- Attackers employ rapport-building phishing, live support via WhatsApp/Signal, and compromised sender accounts to increase credibility and click-through rates.
- Phishing workflow: targeted email → fake registration page requesting corporate email → OAuth/Device Code authentication flow → victim returns URL/code → attacker redeems token and accesses Microsoft 365 resources.
- Post-compromise activity included creating a new device in Microsoft Entra ID with a cloned device name, access from a device reporting an Android Dalvik user agent, and use of residential/proxy IPs for access.
- Attackers registered multiple infrastructure domains (bsc2025[.]org, brussels-indo-pacific-forum[.]org, others) and used tactics like updating older domains to evade reputation checks; Volexity continues to observe and share indicators and offers investigative assistance.
MITRE Techniques
- [T1566.002 ] Spearphishing Link – Attackers sent targeted emails containing links to fake event registration pages that initiated OAuth/Device Code phishing workflows (‘The hyperlink in the email above led to a Microsoft-owned URL that could be abused as part of an OAuth phishing workflow:’).
- [T1078 ] Valid Accounts – After phishing, the actor used compromised Microsoft 365 accounts to access files and resources and send phishing content from legitimate accounts (‘After successfully phishing the user, the attacker used the user’s Microsoft account to access a wide variety of files through Microsoft 365.’).
- [T1090 ] Proxy – Post-compromise access and attacker activity were observed via residential IPs and proxy networks to hide origin and blend activity (‘subsequent attempted attacker activity via a residential Comcast IP address in the United States, which according to spur.us, belonged to a proxy network.’).
- [T1583 ] Acquire Infrastructure – The actor registered and used multiple domains and hosting infrastructure impersonating events to host phishing pages and registration flows (‘Volexity discovered the following domains: world-nuclear-exhibition-paris[.]com …’ and WHOIS shows domain updates used to evade reputation checks).
Indicators of Compromise
- [Domain ] phishing/decoy sites used to impersonate events – bsc2025[.]org, brussels-indo-pacific-forum[.]org, and other domains like world-nuclear-exhibition-paris[.]com, wne-2025[.]com (and 1 more).
- [URL ] OAuth/Device Code phishing endpoints and Microsoft redirect URLs – example OAuth URL: https://login.microsoft[.]com/common/oauth2/authorize?… and reprocess URL: https://login.microsoftonline[.]com/common/reprocess?ctx=…[snipped].
- [Email/Registrar ] registrar/registration contact used to create infrastructure – registration email service mailum[.]com and attacker-created Gmail account used for spear-phishing outreach.
- [WHOIS ] domain registration metadata used to evade reputation checks – USTRS.COM WHOIS excerpt showing Updated Date: 2025-10-31 and Creation Date: 2020-02-05.
- [Device Name ] device enumeration and impersonation in Entra ID – example device naming pattern DESKTOP-[REDACTED] and attacker-cloned names like ‘Charles E. Cheese’s iPhone’ used to mimic legitimate devices.
- [User Agent ] fingerprinting of attacker access – Dalvik/2.1.0 (Linux; U; Android 14; 2211133C Build/UKQ1.230705.002) ;Xiaomi observed during access.
- [Cookie ] tracking used in registration workflow – cookie_reg cookie containing a Base64-encoded version of the registrant email used to record interest or trigger phishing flows.
- [Network/IP ] infrastructure for post-compromise activity – activity observed via a residential Comcast IP address tied to a proxy network (specific IPs not provided in article).