Sunday, May 25, 2025
Homecyber securityRussian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations

Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity firm Volexity has tracked a series of highly targeted attacks by suspected Russian threat actors, identified as UTA0352 and UTA0355.

It exploits Microsoft 365 (M365) OAuth 2.0 authentication workflows to compromise accounts of individuals at non-governmental organizations (NGOs), think tanks, and human rights groups, particularly those focused on Ukraine.

Sophisticated Social Engineering Tactics Unveiled

These campaigns, following earlier Device Code Authentication phishing attacks reported in February 2025, showcase a shift to more intricate social engineering methods.

- Advertisement - Google News

The attackers engage victims through one-on-one interactions on messaging platforms like Signal and WhatsApp, impersonating European political officials or using compromised Ukrainian government accounts to build trust.

Russian Hackers
overall workflow followed by the attacker

Their goal is to trick targets into clicking malicious OAuth URLs and sharing Microsoft-generated authorization codes, granting attackers access to sensitive M365 resources like email data via the Microsoft Graph API.

Abusing Legitimate Microsoft Workflows

The technical sophistication of these attacks lies in their abuse of legitimate Microsoft OAuth 2.0 workflows, avoiding attacker-hosted infrastructure entirely.

UTA0352 leverages URLs pointing to first-party Microsoft applications like Visual Studio Code, using client IDs such as aebc6443-996d-45c2-90f0-388ff96faa56 to request default access rights and redirect users to domains like insiders.vscode.dev or vscode-redirect.azurewebsites.net.

Once authenticated, victims are prompted to share OAuth authorization codes visible in browser URLs or dialog boxes that can be exchanged for access tokens valid for up to 60 days.

Meanwhile, UTA0355 takes a more insidious approach by using stolen codes to register new devices to victims’ Microsoft Entra ID, later socially engineering targets to approve two-factor authentication (2FA) requests for full email access.

This multi-stage tactic, often initiated through emails from compromised accounts followed by real-time messaging, exploits trust in Microsoft’s official login portals like login.microsoftonline.com, making detection challenging.

Volexity notes that post-compromise activities, such as email downloads, are masked by Microsoft IP addresses in logs, complicating traditional security analysis reliant on ClientIPAddress fields.

These attacks highlight a persistent threat to organizations, especially those tied to Ukraine, as Russian actors continuously adapt to bypass security controls.

Volexity recommends alerting on specific OAuth login patterns, such as Visual Studio Code client IDs paired with Microsoft Graph access, and monitoring for newly registered devices tied to low-reputation IPs.

Educating users about unsolicited contacts on secure messaging apps and the risks of sharing codes or URLs from browser address bars is critical.

As these campaigns rely solely on Microsoft’s infrastructure and pre-consented first-party apps, traditional blocking methods like conditional access policies face limitations, underscoring the need for heightened vigilance and tailored security awareness training to counter such evolving threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...