Russian Hackers Weaponize Microsoft OAuth Against Ukraine Allies

Since early March 2025, multiple suspected Russian hacking groups have been "aggressively" targeting individuals and organizations connected to Ukraine and human rights. Their goal? To break into Microsoft 365 accounts.

According to security firm Volexity, these aren't your run-of-the-mill attacks. They involve highly targeted social engineering, a shift from the device code phishing we've seen before. This suggests that Russian cyber adversaries are constantly upping their game.

"These attacks rely heavily on direct interaction with the target," explained security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster in their detailed analysis. "The hackers need to convince the victim to click a link and then send back a Microsoft-generated code."

At least two separate groups, dubbed UTA0352 and UTA0355, are believed to be behind these attacks. It's also possible they could be linked to other known groups like APT29, UTA0304, and UTA0307.

So, what's new about these attacks? They exploit legitimate Microsoft OAuth 2.0 authentication workflows. The hackers impersonate officials from European nations and, in at least one instance, used a compromised Ukrainian government account to trick victims into handing over a Microsoft-generated OAuth code. This gives the attackers control of the victim's account.

They're using messaging apps like Signal and WhatsApp to contact targets, inviting them to video calls or private meetings with European political figures, or for events related to Ukraine. The goal is to get victims to click links hosted on Microsoft 365 infrastructure.

"If the target responded, the conversation quickly moved to scheduling a meeting," Volexity noted. "As the meeting time approached, the supposed official would contact them again with instructions on how to join."

These instructions usually come in the form of a document, followed by a link to join the meeting. But here's the catch: these URLs redirect to the official Microsoft 365 login portal.

The links are designed to generate a Microsoft Authorization Token, which then appears within the URL or the redirect page. The attack then aims to trick the victim into sharing this code with the hackers.

This is done by redirecting the authenticated user to an in-browser version of Visual Studio Code at insiders.vscode[.]dev, where the token is displayed. If the victim shares the OAuth code, UTA0352 uses it to generate an access token, granting them access to the victim's M365 account.

Volexity also found an earlier version of the campaign that redirected users to "vscode-redirect.azurewebsites[.]net," which then redirected to the localhost IP address (127.0.0.1).

"Instead of showing a user interface with the Authorization Code, the code is only available in the URL," the researchers explained. "This results in a blank page. The attacker then has to ask the user to share the URL to get the code."

Another social engineering attack, spotted in early April 2025, involved UTA0355 using a compromised Ukrainian government email account to send spear-phishing emails. This was followed by messages on Signal and WhatsApp.

These messages invited targets to a video conference about Ukraine's efforts in investing and prosecuting "atrocity crimes," and the country's collaboration with international partners. While the goal is the same as UTA0352, there's a key difference.

The hackers still abuse the Microsoft 365 authentication API, but the stolen OAuth code is used to register a new device to the victim's Microsoft Entra ID (formerly Azure Active Directory) permanently.

Then, the attacker launches a second social engineering attack to convince the targets to approve a two-factor authentication request, allowing them to hijack the account.

"UTA0355 requested that the victim approve a two-factor authentication (2FA) request to 'gain access to a SharePoint instance associated with the conference,'" Volexity said. "This was needed to bypass extra security measures put in place by the victim's organization, in order to access their email."

What makes this attack so effective is that the login activity, email access, and device registration are routed through proxy networks that match the victim's location, making detection even harder.

So, what can be done? Organizations should audit newly registered devices, educate users about the risks of unsolicited contacts on messaging apps, and implement conditional access policies that restrict access to organizational resources to only approved devices.

"These recent campaigns benefit from all user interactions taking place on Microsoft's official infrastructure; there is no attacker-hosted infrastructure used in these attacks," the company added.

"Also, these attacks don't involve malicious OAuth applications that require the user to grant access. The use of Microsoft first-party applications that already have consent granted makes prevention and detection of this technique very difficult."