Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations

Cybersecurity firm Volexity has tracked a series of highly targeted attacks by suspected Russian threat actors, identified as UTA0352 and UTA0355.

It exploits Microsoft 365 (M365) OAuth 2.0 authentication workflows to compromise accounts of individuals at non-governmental organizations (NGOs), think tanks, and human rights groups, particularly those focused on Ukraine.

Sophisticated Social Engineering Tactics Unveiled

These campaigns, following earlier Device Code Authentication phishing attacks reported in February 2025, showcase a shift to more intricate social engineering methods.

The attackers engage victims through one-on-one interactions on messaging platforms like Signal and WhatsApp, impersonating European political officials or using compromised Ukrainian government accounts to build trust.

Their goal is to trick targets into clicking malicious OAuth URLs and sharing Microsoft-generated authorization codes, granting attackers access to sensitive M365 resources like email data via the Microsoft Graph API.

Abusing Legitimate Microsoft Workflows

The technical sophistication of these attacks lies in their abuse of legitimate Microsoft OAuth 2.0 workflows, avoiding attacker-hosted infrastructure entirely.

UTA0352 leverages URLs pointing to first-party Microsoft applications like Visual Studio Code, using client IDs such as aebc6443-996d-45c2-90f0-388ff96faa56 to request default access rights and redirect users to domains like insiders.vscode.dev or vscode-redirect.azurewebsites.net.

Once authenticated, victims are prompted to share OAuth authorization codes visible in browser URLs or dialog boxes that can be exchanged for access tokens valid for up to 60 days.

Meanwhile, UTA0355 takes a more insidious approach by using stolen codes to register new devices to victims’ Microsoft Entra ID, later socially engineering targets to approve two-factor authentication (2FA) requests for full email access.

This multi-stage tactic, often initiated through emails from compromised accounts followed by real-time messaging, exploits trust in Microsoft’s official login portals like login.microsoftonline.com, making detection challenging.

Volexity notes that post-compromise activities, such as email downloads, are masked by Microsoft IP addresses in logs, complicating traditional security analysis reliant on ClientIPAddress fields.

These attacks highlight a persistent threat to organizations, especially those tied to Ukraine, as Russian actors continuously adapt to bypass security controls.

Volexity recommends alerting on specific OAuth login patterns, such as Visual Studio Code client IDs paired with Microsoft Graph access, and monitoring for newly registered devices tied to low-reputation IPs.

Educating users about unsolicited contacts on secure messaging apps and the risks of sharing codes or URLs from browser address bars is critical.

As these campaigns rely solely on Microsoft’s infrastructure and pre-consented first-party apps, traditional blocking methods like conditional access policies face limitations, underscoring the need for heightened vigilance and tailored security awareness training to counter such evolving threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!