Recent observations have revealed that Russian threat actors, UTA0352 and UTA0355, are targeting individuals and organizations tied to Ukraine and human rights using sophisticated phishing techniques that leverage Microsoft OAuth 2.0 workflows. These attacks involve social engineering tactics through messaging apps like Signal and WhatsApp, utilizing impersonation and compromised accounts to gain unauthorized access to Microsoft 365 accounts. Affected: NGOs, human rights organizations, Ukraine, email accounts
Keypoints :
- Russian threat actors are targeting Ukrainian-related individuals and organizations through aggressive phishing campaigns since March 2025.
- The attackers impersonate officials from various European nations and leverage compromised Ukrainian Government accounts.
- Messaging platforms like Signal and WhatsApp are used to contact targets, inviting them to join meetings or events.
- Attacks involve convincing victims to provide Microsoft Authorization codes, enabling access to their M365 accounts.
- Volexity is tracking at least two distinct Russian actors, UTA0352 and UTA0355, behind these phishing attempts.
- Both actors utilize social engineering and phishing strategies via legitimate Microsoft 365 authentication methods.
- Phishing methods have evolved to include sophisticated techniques such as device registration using OAuth authorization codes.
MITRE Techniques :
- Social Engineering: Phishing (T1566) β Attackers employ social engineering tactics to gain the victimβs trust and lure them into providing sensitive information.
- Credential Dumping (T1003) β Victims unknowingly provide OAuth authorization codes enabling attackers to access their credentials and resources.
- Abuse Elevation Control Mechanism (T1068) β Attackers leverage compromised accounts and impersonate officials to escalate privileges in M365.
- Application Layer Protocol (T1071) β Phishing campaigns use legitimate OAuth protocols to communicate and exploit M365 services.
- Account Access (T1088) β Attackers gain access to victimsβ M365 accounts by exploiting vulnerabilities in the OAuth workflows.
Indicator of Compromise :
- URL https://login.microsoftonline[.]com/organizations/oauth2/v2.0/authorize?state=https://mae.gov[.]ro/[REMOVED]
- URL https://insiders.vscode.dev/redirect
- URL https://vscode-redirect.azurewebsites.net
- Email from a compromised Ukrainian Government account.
- OAuth authorization codes generated during the phishing campaign.