Full Report
KEY TAKEAWAYS Since early March 2025, Volexity has observed multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations. Both Signal and WhatsApp are used to contact targets, inviting them to join or register for private meetings with various national European political officials or for upcoming events. Some of the social engineering campaigns seek to fool victims into clicking links hosted on Microsoft 365 infrastructure The primary tactics observed involve the attacker requesting victim's supply Microsoft Authorization codes, which grant the attacker with account access to then join attacker-controlled devices to Entra ID (previously Azure AD), and to download emails and other account-related data. Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted […] The post Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows appeared first on Volexity.
Analysis Summary
# Threat Actor: UTA0352 and UTA0355 (Suspected Russian Threat Actors)
## Attribution & Identity
* **Attribution:** Suspected multiple Russian threat actors.
* **Aliases/Groups:** Volexity is tracking at least two distinct actors: **UTA0352** and **UTA0355**. They may have overlaps with actors observed conducting Device Code Authentication phishing campaigns in January and February 2025.
## Activity Summary
Since early March 2025, these actors have been conducting highly targeted social engineering operations against individuals and organizations with ties to Ukraine and human rights. The primary goal is gaining access to Microsoft 365 (M365) accounts by abusing legitimate Microsoft OAuth 2.0 Authentication workflows.
The general campaign flow involves:
1. Contacting the victim via Signal or WhatsApp, impersonating European political officials or ambassadors, and inviting them to private meetings concerning the conflict in Ukraine.
2. Sending an OAuth phishing URL, claimed to be necessary to join the meeting, hosted on legitimate Microsoft 365 infrastructure (e.g., `login.microsoftonline.com`).
3. Convincing the victim to click the link and subsequently return the Microsoft-generated authorization code to the attacker.
4. Using the code to generate an access token for M365 account access.
**Specific UTA0355 Activity:** This actor specifically requested access to the Device Registration Service during the initial login, enabling them to register a new device in the victim's Entra ID. They later engineered a situation where the victim approved a Two-Factor Authentication (2FA) request (purportedly to access a SharePoint instance) to bypass security requirements and gain access to email data the next day.
## Tactics, Techniques & Procedures
* **Social Engineering:** Impersonating European national political officials/ambassadors to schedule meetings regarding Ukraine.
* **Phishing/Web Deception:** Using OAuth phishing URLs pointing to legitimate Microsoft login portals (`login.microsoftonline.com`).
* **Authentication Abuse (Vague):** Abusing legitimate **Microsoft OAuth 2.0 Authentication workflows**, distinct from previous Device Code Authentication abuses.
* **Code Harvesting:** Requesting victims to return a Microsoft-generated authorization code (from the URI or redirect page) to the attacker.
* **Device Registration (UTA0355):** Requesting access to the **Device Registration Service** during OAuth flow to join a new device (`DESKTOP-**[redacted]**`) to the victim’s Entra ID.
* **Privilege Escalation (UTA0355):** Using the registered device and subsequent actions (guided by the ROADTools framework documentation) to create an access token with full Microsoft Graph API permissions.
* **2FA Evasion/Bypass (UTA0355):** Prompting victims to approve a 2FA request under false pretenses (e.g., accessing a SharePoint instance) to facilitate email access.
## Targeting
* **Sectors:** NGOs supporting human rights, particularly those with expertise related to Ukraine.
* **Geography:** Targets located in regions where the victim was located (login activity was observed via a proxy network geolocated to the victim's location).
* **Victims:** Staff members of NGOs supporting human rights expertise on Ukraine issues.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly mentioned as deployed malware payloads; focus is on native OAuth abuse.
* **Infrastructure:**
* Communication via **Signal** and **WhatsApp**.
* Phishing URLs pointing to official Microsoft infrastructure, such as **login.microsoftonline.com**.
* **ROADTools** project mentioned as a tool used by researchers to replicate UTA0355's post-token actions.
* Utilizing a proxy network for C2/initial access, geolocated to the victim's vicinity.
## Implications
These actors have successfully pivoted from previous Device Code Authentication attacks to leveraging different first-party OAuth 2.0 workflows. Their highly personalized social engineering (impersonating diplomats) allows them to bypass generic security alerts. The UTA0355 technique demonstrates an advanced understanding of Entra ID API design flaws, allowing them to establish persistence via device registration and escalate privileges beyond the initial requested scope, ultimately leading to full email data exfiltration.
## Mitigations
* **Vigilance on Messaging Apps:** Increased scrutiny of unsolicited contact via Signal or WhatsApp, especially when messages involve scheduling meetings with high-level officials or require immediate authentication steps.
* **OAuth Code Handling:** Train users that legitimate security workflows *never* require them to manually copy and paste a Microsoft-generated authorization code back to a conversational partner.
* **Monitor Device Registration:** Audit Entra ID/Azure AD logs for unexpected device registrations occurring immediately following external interactions.
* **2FA Approval Scrutiny:** Educate users to critically verify the context of any 2FA prompt that appears, especially if initiated shortly after clicking a link sent via a messaging app.
* **Monitor for Graph API Abuse:** Monitor for anomalous access patterns related to Microsoft Graph API usage or bulk email download tied to newly registered devices.