Russian Cyber Actors Exploit Microsoft Oauth To Breach Ukraine-Linked Organisations

Russian-linked cyber operatives have been leveraging legitimate Microsoft OAuth 2.0 authentication processes to compromise Microsoft 365 accounts of individuals and organisations associated with Ukraine and human rights advocacy. Cybersecurity firm Volexity has been monitoring this activity since early March 2025, identifying two threat clusters, UTA0352 and UTA0355, as the primary actors behind these campaigns.

The attackers initiate contact by impersonating European political officials, reaching out to targets via encrypted messaging platforms like WhatsApp and Signal. They invite recipients to participate in private meetings or discussions related to Ukraine, providing links that redirect to legitimate Microsoft login portals. Upon authentication, users are directed to an in-browser version of Visual Studio Code, where Microsoft OAuth codes are displayed. Believing these codes are necessary to join the meeting, victims inadvertently share them with the attackers.

These authorization codes, valid for up to 60 days, grant the threat actors access to the victims' Microsoft 365 accounts. In some instances, the attackers use the codes to register new devices to the victims' Microsoft Entra ID , enabling persistent access to emails and other sensitive data. The attackers further complicate detection by routing login activities through proxy networks that match the victims' geographical locations.

In one notable case, UTA0355 utilized a compromised Ukrainian government email account to send spear-phishing emails, followed by messages on Signal and WhatsApp. These communications invited targets to join a video conference related to Ukraine's efforts in prosecuting atrocity crimes. The attackers then requested the victims to approve a two-factor authentication request, ostensibly to access a SharePoint instance associated with the conference, thereby bypassing additional security measures.

MENAFN26042025000152002308ID1109474990