Cyber Security News

Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations

Cybersecurity firm Volexity has tracked a series of highly targeted attacks by suspected Russian threat actors, identified as UTA0352 and UTA0355.

It exploits Microsoft 365 (M365) OAuth 2.0 authentication workflows to compromise accounts of individuals at non-governmental organizations (NGOs), think tanks, and human rights groups, particularly those focused on Ukraine.

Sophisticated Social Engineering Tactics Unveiled

These campaigns, following earlier Device Code Authentication phishing attacks reported in February 2025, showcase a shift to more intricate social engineering methods.

The attackers engage victims through one-on-one interactions on messaging platforms like Signal and WhatsApp, impersonating European political officials or using compromised Ukrainian government accounts to build trust.

Russian HackersRussian Hackers
overall workflow followed by the attacker

Their goal is to trick targets into clicking malicious OAuth URLs and sharing Microsoft-generated authorization codes, granting attackers access to sensitive M365 resources like email data via the Microsoft Graph API.

Abusing Legitimate Microsoft Workflows

The technical sophistication of these attacks lies in their abuse of legitimate Microsoft OAuth 2.0 workflows, avoiding attacker-hosted infrastructure entirely.

UTA0352 leverages URLs pointing to first-party Microsoft applications like Visual Studio Code, using client IDs such as aebc6443-996d-45c2-90f0-388ff96faa56 to request default access rights and redirect users to domains like insiders.vscode.dev or vscode-redirect.azurewebsites.net.

Once authenticated, victims are prompted to share OAuth authorization codes visible in browser URLs or dialog boxes that can be exchanged for access tokens valid for up to 60 days.

Meanwhile, UTA0355 takes a more insidious approach by using stolen codes to register new devices to victims’ Microsoft Entra ID, later socially engineering targets to approve two-factor authentication (2FA) requests for full email access.

This multi-stage tactic, often initiated through emails from compromised accounts followed by real-time messaging, exploits trust in Microsoft’s official login portals like login.microsoftonline.com, making detection challenging.

Volexity notes that post-compromise activities, such as email downloads, are masked by Microsoft IP addresses in logs, complicating traditional security analysis reliant on ClientIPAddress fields.

These attacks highlight a persistent threat to organizations, especially those tied to Ukraine, as Russian actors continuously adapt to bypass security controls.

Volexity recommends alerting on specific OAuth login patterns, such as Visual Studio Code client IDs paired with Microsoft Graph access, and monitoring for newly registered devices tied to low-reputation IPs.

Educating users about unsolicited contacts on secure messaging apps and the risks of sharing codes or URLs from browser address bars is critical.

As these campaigns rely solely on Microsoft’s infrastructure and pre-consented first-party apps, traditional blocking methods like conditional access policies face limitations, underscoring the need for heightened vigilance and tailored security awareness training to counter such evolving threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago