Since early March 2025, multiple Russian hacking groups have intensified efforts to compromise Microsoft 365 accounts belonging to individuals and organizations tied to Ukraine and human rights advocacy. According to a detailed analysis by cybersecurity firm Volexity, these targeted campaigns involve sophisticated social engineering and abuse of legitimate Microsoft authentication mechanisms.
The attackers—tracked as UTA0352 and UTA0355—appear to be evolving their tactics from previously used device code phishing attacks. Their new method centers on exploiting Microsoft’s OAuth 2.0 authentication process, luring victims into unwittingly handing over access credentials via manipulated yet official-looking login portals. These efforts reflect a continued refinement of their tradecraft, with a focus on bypassing traditional detection methods.
Volexity researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster revealed that the attacks depend heavily on personal interaction. Threat actors impersonate European political figures and use trusted messaging apps like Signal and WhatsApp to initiate contact. They invite targets to attend private video meetings or political briefings about Ukraine, then coax them into clicking links that redirect to Microsoft login portals.
The attackers use these links to trigger the OAuth authentication process. A token is generated and either shown directly in a browser-based Visual Studio Code window or embedded in the redirect URL. Once the victim shares the code, the hackers convert it into a valid access token, gaining control over the user’s Microsoft 365 account. In one incident, a compromised Ukrainian government account was leveraged to build trust and legitimacy.
Advanced Social Engineering and Device Registration Tactics
While both UTA0352 and UTA0355 employ similar objectives, UTA0355 takes the attack a step further. This group has used pre-compromised Ukrainian government email accounts to send spear-phishing emails before switching to secure messaging apps to communicate. Victims are invited to join meetings on prosecuting atrocity crimes and Ukraine’s cooperation with international partners—topics designed to appeal to specific target groups.
Once the OAuth code is stolen, UTA0355 uses it to register a new device to the victim’s Microsoft Entra ID (formerly Azure Active Directory), enabling persistent access. The hackers then initiate a second social engineering step, asking the victim to approve a two-factor authentication (2FA) prompt. They claim it’s necessary to access SharePoint resources associated with the conference, but in reality, it’s a means to fully hijack the account.
To further evade detection, the attackers route traffic through proxy servers that match the geolocation of their targets. This makes login activity appear normal and limits the effectiveness of conventional security alerts.
Organizations are urged to implement robust defenses to counter these attacks. Recommended actions include auditing newly registered devices, enforcing conditional access policies to restrict unmanaged devices, and educating employees about unsolicited contact on secure messaging platforms.
What makes these campaigns especially difficult to block is that all interactions occur within Microsoft’s legitimate infrastructure. No malicious OAuth applications are involved, and there are no external attacker-controlled servers. As a result, standard threat detection tools may not flag these activities, and traditional OAuth consent warnings are bypassed.
