Several suspicious Russia-related threat actors have “actively” targeted individuals and organizations with ties to Ukraine with human rights since early March 2025, with the aim of gaining unauthorized access to Microsoft 365 accounts.
Highly targeted social engineering operations are a shift from previous documented attacks. This is a shift from attacks that utilized a technique known as device code phishing to achieve the same goal, indicating that the Russian enemies behind these campaigns are actively refined under the radar.
“Threat actors have to persuade them to click on the link to send back Microsoft-generated code, so these recently observed attacks rely heavily on one-on-one interaction with the target,” security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Cossel, Stephen Adair and Tom Lancaster said in their exclusive analysis.
At least two different threat clusters were tracked UTA0352 and UTA0355 It is rated as being behind the attack, but it does not rule out the possibility that it is also related to APT29, UTA0304, and UTA0307.
The latest set of attacks is characterized by the use of new techniques aimed at abusing legitimate Microsoft OAuth 2.0 authentication workflows. Threat actors are known to be officials from various European countries and in at least one case they will use the Ukrainian government’s compromise to trick victims and provide Microsoft-generated OAuth code to manage their accounts.
Messaging apps such as Signal and WhatsApp are used to contact targets, join video calls, register for private meetings with various European political staff, and sign up for upcoming events, mainly in Ukraine. These efforts are attempting to dupe the victim to click on a link hosted on Microsoft 365 infrastructure.
“If the target responds to a message, the conversation quickly advances towards actually scheduling the agreed time of the meeting,” Volexity says. “As the agreed meeting time approaches, European political officials will be contacted again and share instructions on how to participate in the meeting.”
The instructions take the form of a document, and then the expected official will send a link to the target to join the meeting. All of these URLs will be redirected to the official Microsoft 365 login portal.
Specifically, the attached link is designed to redirect to the official Microsoft URL and generate a Microsoft Authorization token in the process, which is displayed in part of the URI or within the body of the redirected page. The attack then attempts to trick the victim into sharing code with threat actors.
This is achieved by redirecting authenticated users to the in-browser version of insider Visual Studio code. If the victim shares the OAUTH code, UTA0352 will eventually generate an access token that grants access to the victim’s M365 account.
Volexity said it also observed early iterations of the campaign redirecting users to the website “vscode-redirect.azurewebsites(.)Net.”
“When this happens, instead of introducing a user interface using an authentication code, the code is only available at URLs,” the researchers explained. “This will generate a blank page when rendered in the user’s browser. The attacker must request that the user share the URL from the browser in order for the attacker to retrieve the code.”
Another social engineering attack, identified in early April 2025, allegedly involved UTA0355, who used an already compromised Ukrainian government email account to send Spear-Phishing emails to targets, then sent messages to Signal and WhatsApp.
These messages invited targets to video conferences relating to Ukraine’s efforts on investment and prosecution in collaboration between “Atrocity Crimes” and international partners. The ultimate intention of the activity is the same as UTA0352, but there are important differences.
Threat actors, like other examples, misuse legitimate Microsoft 365 authentication APIs to access victim email data. However, the stolen OAuth Authorization code is used to permanently register the new device with the victim’s Microsoft Entra ID (formerly Azure Active Directory).
In the next phase, the attacker coordinates the second round of social engineering to approve the two-factor authentication request and convince the target to hijack the account.
“In this interaction, UTA0355 requested that the victim approve a two-factor authentication (2FA) request to “get access to the SharePoint instance associated with the meeting,” Volexity said. “This was necessary to bypass the additional security requirements introduced by the victim’s organization in order to access email.”
What makes the attack particularly effective is that login activity, email access, and device registrations are routed through proxy networks geolocated to the victim’s location, further complicating detection efforts.
To detect and mitigate these attacks, organizations are encouraged to implement conditional access policies that audit newly registered devices, educate users about risks associated with unsolicited contacts on the messaging platform, and restrict access to organizational resources to only authorized or managed devices.
“These recent campaigns benefit from all user interactions taking place on Microsoft’s official infrastructure. There is no attacker-hosted infrastructure used in these attacks,” the company added.
“Similarly, these attacks do not include malicious or attacker-controlled OAuth applications that explicitly grant access (and thus may be easily blocked by an organization). The use of already-accepted first-party applications from Microsoft proves that preventing and detecting this technology is quite difficult.”
