Full Report
Russia-linked phishing attacks targeting NGOs with ties to Ukraine ask victims to join a video call, and result in them gaining access to Microsoft 365 accounts,
Analysis Summary
# Threat Actor: UTA0352 and UTA0355
## Attribution & Identity
Attributed by Volexity to Russia-linked actors.
Associated with previous activity targeting Microsoft Device Code Authentication in February 2025. Volexity does not explicitly link them to known Russian APT groups.
## Activity Summary
Currently engaged in highly targeted social engineering operations aiming to compromise Microsoft 365 environments using OAuth token abuse. The activity was first noticed in March. The actors are building new methods to trick users into granting access to M365 accounts.
## Tactics, Techniques & Procedures
- Highly targeted social engineering over messaging apps (Signal, WhatsApp).
- Luring victims to click on bogus video-call URLs designed to generate an OAuth code.
- Requesting the victim provide this OAuth code to the attacker.
- Abusing the OAuth protocol to capture access tokens for M365 accounts.
- Potentially leveraging Microsoft Device Code Authentication (observed in a prior, related campaign).
## Targeting
- Sectors: Nongovernmental Organizations (NGOs), think tanks, human rights groups.
- Geography: Organizations with ties to Ukraine (specific geographical base of targets not specified).
- Victims: Staff members at NGOs that support human rights and have expertise related to Ukraine.
## Tools & Infrastructure
- Malware families used: Not explicitly detailed, but focused on exploiting OAuth workflows.
- Infrastructure (C2, domains, IPs): Bogus video-call URLs used to shepherd victims through the OAuth code generation/submission process.
## Implications
These actors pose a significant threat to NGOs involved in sensitive areas like human rights and Ukraine conflict support. Their focus on M365 through advanced social engineering and protocol abuse (OAuth, Device Code Auth) presents a sophisticated, evolving challenge that bypasses traditional password-based defenses.
## Mitigations
- Organizations should train users to be highly vigilant regarding unsolicited contact, especially when arriving via secure messaging apps.
- Users must be instructed not to click on links or open attachments provided through unexpected contact, particularly when it involves requests related to video calls or security confirmation.
- Implement robust monitoring and control over OAuth application authorizations within the M365 environment.