Russian Hackers Spoof European Events in Targeted Phishing Attacks

   December 5, 2025  Posted in CyberSecurityNews

Russian Hackers Spoof European Events in Targeted Phishing Attacks

Russian Hackers Spoof European Events in Targeted Phishing Attacks

Russian threat actors are running a new wave of phishing campaigns that spoof major European security events to quietly steal cloud credentials.

Invitations that look legitimate, often tied to conferences such as the Belgrade Security Conference or the Brussels Indo-Pacific Dialogue, direct targets to polished registration sites that mimic real organizers.

Behind this professional surface, the attackers route users into malicious Microsoft 365 and Google account flows designed to grant long‑term access to email and files.

Volexity security analysts identified the campaigns as linked to the Russian group tracked as UTA0355, which has steadily refined its use of OAuth and Device Code abuse in 2025.

The group does not send obviously malicious links at first. Instead, it builds trust over email and WhatsApp or Signal chats, then shifts victims into a “registration” flow that looks like routine single sign‑on.

Invitation email (Source - Volexity)
Invitation email (Source – Volexity)

In many cases, even the sending accounts and messenger IDs are themselves compromised identities from real policy or academic networks.

google

Once a target clicks through, the fake conference sites, such as bsc2025[.]org or brussels-indo-pacific-forum[.]org, prompt for “corporate email” and then hand off to Microsoft login pages that appear genuine.

The key trick is that OAuth tokens and device codes are captured out of the browser URL and reused by the attackers.

In some cases, users are asked to paste the full URL back into chat under the pretext of “finalizing registration.”

After a successful phish, the technical behavior of the intrusion is quiet but methodical. UTA0355 often registers a new device in Microsoft Entra ID, reusing the victim’s real device name to blend into asset inventories.

Phishing Operations

Access then comes from proxy nodes, sometimes with Android user‑agent strings that do not match the victim’s actual hardware, making careful log review essential.

Website was impersonating the BIPD (Source - Volexity)
Website was impersonating the BIPD (Source – Volexity)

A simple detection rule can flag this mismatch in many SIEM platforms:-

SigninLogs
| where DeviceDetailOperatingSystem startswith "Android"
| where DeviceDetailDisplayName has "iPhone"

This same concept can be translated into Python-based log triage:-

if "Android" in ua and "iPhone" in device_name:
    flag_suspicious(session_id)

A complete technical breakdown shows that the true “malware” here is not a traditional binary but a weaponized OAuth and Device Code workflow.

The payload is the consent and tokens that users hand over, which give attackers API-level access to mailboxes, files, and identity data while staying largely invisible to endpoint tools.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link