Multiple suspected Russia-linked threat actors are “aggressively” targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025.
The highly targeted social engineering operations, per Volexity, are a shift from previously documented attacks that leveraged a technique known as device code phishing to achieve the same goals, indicating that Russian adversaries are actively refining their tradecraft.
“These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code,” security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster said in an exhaustive analysis.
At least two different threat clusters tracked as UTA0352 and UTA0355 are assessed to be behind the attacks, although the possibility that they could also be related to APT29, UTA0304, and UTA0307 hasn’t been ruled out.
The latest set of attacks is characterized by the use of a new technique that’s aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The threat actors impersonate officials from various European nations and have been found to take advantage of a compromised Ukrainian Government account at least in one case to trick victims into providing a Microsoft-generated OAuth code to take control of their accounts.
Messaging apps such as Signal and WhatsApp are used to contact targets, inviting them to join a video call or register for private meetings with various national European political officials or for upcoming events centered around Ukraine. These efforts seek to dupe victims into clicking links hosted on Microsoft 365 infrastructure.
“If the target responded to messages, the conversation would quickly progress towards actually scheduling an agreed-upon time for the meeting,” Volexity said. “As the agreed meeting time approached, the purported European political official would make contact again and share instructions on how to join the meeting.”
The instructions take the form of a document, after which the supposed official sends a link to the target to join the meeting. These URLs all redirect to the official login portal for Microsoft 365.
Specifically, the supplied links are designed to redirect to official Microsoft URLs and generate a Microsoft Authorization Token in the process, which would then appear as part of the URI or within the body of the redirect page. The attack subsequently seeks to trick the victim into sharing the code with the threat actors.
This is achieved by redirecting the authenticated user to an in-browser version of Visual Studio Code at insiders.vscode[.]dev where the token is displayed to the user. Should the victim share the OAuth code, UTA0352 proceeds to generate an access token that ultimately allows access to the victim’s M365 account.
Volexity said it also observed an earlier iteration of the campaign that redirects users to the website “vscode-redirect.azurewebsites[.]net,” which, in turn, redirects to the localhost IP address (127.0.0.1).
“When this happens, instead of yielding a user interface with the Authorization Code, the code is only available in the URL,” the researchers explained. “This yields a blank page when rendered in the user’s browser. The attacker must request that the user share the URL from their browser in order for the attacker to obtain the code.”
Another social engineering attack identified in early April 2025 is said to have involved UTA0355 using an already compromised Ukrainian Government email account to send spear-phishing emails to targets, followed by sending messages on Signal and WhatsApp.
These messages invited targets to join a video conference related to Ukraine’s efforts regarding investing and prosecuting “atrocity crimes” and the country’s collaboration with international partners. While the ultimate intention of the activity is the same as UTA0352, there is a crucial difference.
The threat actors, like in the other instance, abuse the legitimate Microsoft 365 authentication API to gain access to the victim’s email data. But the stolen OAuth authorization code is used to register a new device to the victim’s Microsoft Entra ID (formerly Azure Active Directory) permanently.
In the next phase, the attacker orchestrates a second round of social engineering in order to convince the targets to approve a two-factor authentication request and hijack the account.
“In this interaction, UTA0355 requested that the victim approve a two-factor authentication (2FA) request to ‘gain access to a SharePoint instance associated with the conference,'” Volexity said. “This was required to bypass additional security requirements, which were put in place by the victim’s organization, in order to gain access to their email.”
To detect and mitigate these attacks, organizations are advised to audit newly registered devices, educate users about the risks associated with unsolicited contacts on messaging platforms, and implement conditional access policies that restrict access to organizational resources to only approved or managed devices.
“These recent campaigns benefit from all user interactions taking place on Microsoft’s official infrastructure; there is no attacker-hosted infrastructure used in these attacks,” the company added.
“Similarly, these attacks do not involve malicious or attacker-controlled OAuth applications for which the user must explicitly grant access (and thus could easily be blocked by organizations). The use of Microsoft first-party applications that already have consent granted has proven to make prevention and detection of this technique rather difficult.”
