Cybersecurity experts have observed a surge in sophisticated online attacks initiated by Russia-linked threat actors targeting individuals and organizations connected to Ukraine and human rights. Since March, these cybercriminals have increased efforts to access Microsoft 365 accounts, shifting their tactics significantly. Volexity’s analysis reveals the employment of advanced social engineering techniques, utilizing Microsoft’s OAuth 2.0 Authentication workflows.
These aggressive campaigns involve direct interactions with targets, convincing them to share Microsoft-generated authorization codes. Notable clusters, namely UTA0352 and UTA0355, have been linked to these attacks, with potential ties to other known groups. Cybercriminals often pose as European officials, employing compromised accounts to deceive victims into sharing sensitive information.
The attackers exploit messaging platforms like Signal and WhatsApp to lure targets into fake video conferences. One documented method includes prompting victims to share OAuth tokens by redirecting them to seemingly legitimate Microsoft 365 portals. This maneuver allows hackers to generate access tokens for unauthorized account entry.
UTA0355 stands out for its strategy of permanently registering new devices to victims’ Microsoft Entra ID. The campaign also includes secondary social engineering attempts to gain two-factor authentication approval, further bypassing security defenses. Their tactics involve routing through proxy networks mimicking victim locations to obscure detection.
Organizations are advised to regularly audit registered devices, educate users about phishing risks, and enforce conditional access policies. Strengthening user awareness and tightening access controls are critical in mitigating these advanced persistent threats.
The rise of these complex cyberattacks underscores the necessity of continual adaptation and robust cybersecurity measures. By emphasizing user education and rigorous security policies, organizations can better defend against evolving threats.
