Hackers Exploiting Microsoft 365 OAuth Workflows to Target Organizations

A new campaign by Russian threat actors. These actors are exploiting legitimate Microsoft OAuth 2.0 authentication workflows to compromise targeted organizations.

Since early March 2025, these sophisticated attacks have primarily focused on individuals and organizations with ties to Ukraine and human rights initiatives.

Social Engineering Campaign

The attackers, tracked as UTA0352 and UTA0355, have demonstrated a concerning ability to conduct highly targeted social engineering operations aimed at gaining unauthorized access to Microsoft 365 accounts.

Unlike previous phishing attempts, these attacks utilize legitimate Microsoft infrastructure, making detection significantly more challenging.

“These recent campaigns benefit from all user interactions taking place on Microsoft’s official infrastructure; there is no attacker-hosted infrastructure used in these attacks,” Volexity researchers noted in their analysis published Tuesday.

The primary victims include non-governmental organizations supporting human rights, think tanks, and organizations providing humanitarian assistance to Ukraine.

Security experts believe these groups are being targeted due to their reduced staffing and budget constraints, making them more vulnerable to sophisticated social engineering tactics.

Attack Methodology: Abusing Trust in Microsoft Services

The attackers initiate contact through secure messaging applications like Signal and WhatsApp, impersonating officials from various European nations, including Ukraine, Bulgaria, Romania, and Poland.

In one particularly concerning case, they leveraged a compromised Ukrainian Government account to establish initial credibility with targets.

Victims receive invitations to join purported video conferences or private meetings with European political officials to discuss Ukraine-related matters. Once engaged, targets are sent malicious Microsoft login URLs that generate OAuth authorization codes when clicked.

“If the victim shares the OAuth code, the attacker is then able to generate an access token that ultimately allows access the victim’s M365 account,” Volexity explains.

What makes these attacks particularly effective is the exploitation of legitimate Microsoft authentication workflows. When victims click the provided links, they are directed to official Microsoft pages rather than prominent phishing sites.

In some instances, attackers use the stolen OAuth authorization code to permanently register new devices to the victim’s Microsoft Entra ID (formerly Azure AD), establishing persistent access to the compromised accounts.

Volexity researchers observed attackers downloading victims’ emails and accessing other sensitive account data after successfully compromising accounts.

The attackers carefully route their activities through proxy networks geolocated to match the victim’s location, further complicating detection efforts.

Security experts recommend organizations train users to be wary of unsolicited contacts via secure messaging apps, especially those requesting code sharing or URL information.

Implementing conditional access policies restricting access to only approved devices can also help mitigate these attacks.

Volexity attributes these campaigns to Russian threat actors with “medium confidence,” noting that all messages were themed around Ukraine and targeted individuals historically of interest to Russian intelligence operations.

“This latest series of attacks marks the second time since January 2025 that Russian threat actors have utilized little-known techniques to obtain access to M365 resources,” researchers concluded.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy