Russian Cyberattackers Exploit OAuth 20 to Target NGOs and Humanitarian Organizations Using Microsoft 365

In recent weeks, cybersecurity firm Volexity has uncovered a series of sophisticated cyberattacks, attributed to Russian threat groups UTA0352 and UTA0355, that exploit vulnerabilities in Microsoft’s OAuth 2.0 authentication workflows. These cyberattacks, primarily targeting NGOs, think tanks, and human rights organizations—especially those involved in Ukrainian issues—utilize advanced social engineering tactics to gain unauthorized access to Microsoft 365 (M365) accounts.

The threat actors have shifted from phishing attacks using device code authentication to abusing OAuth 2.0 flows tied to trusted Microsoft applications. By leveraging secure messaging platforms and impersonating legitimate officials, these attackers deceive victims into providing sensitive authorization codes. This article dives deep into the attack techniques, the challenges in detecting such sophisticated breaches, and the critical need for vigilance among organizations using M365 for their communications.

Summary

Cybersecurity firm Volexity has identified targeted campaigns from Russian-affiliated hacker groups, UTA0352 and UTA0355, using Microsoft’s OAuth 2.0 workflows to breach Microsoft 365 accounts. These attacks focus on NGOs and organizations with a strong connection to Ukraine, utilizing both technical and social engineering methods to bypass security.

The attackers primarily reach out through secure messaging apps such as Signal and WhatsApp, impersonating European political figures or NGO representatives. They invite victims to discuss sensitive topics like the Ukraine conflict and present what appears to be a legitimate Microsoft login page. When the victim authenticates, an authorization code is generated. The attackers request this code, claiming it’s needed to confirm attendance or other details. With this code, they can gain unauthorized access to the victim’s M365 account by exchanging it for an access token.

Volexity outlines two variations of the attack: one involving Visual Studio Code and other Microsoft apps, and another using Entra ID (Microsoft’s Device Registration Service). Both techniques make it hard for victims to detect the malicious nature of the attack, as everything happens within Microsoft’s official environment.

In one attack variant, UTA0352 uses OAuth workflows tied to Microsoft services like Visual Studio Code. By manipulating URLs and crafting PDF instructions, they deceive users into granting access to their M365 data. This method relies on Microsoft’s infrastructure, making it even harder to detect. The attacker can obtain long-term access, as the authorization code remains valid for up to 60 days, allowing them to access sensitive user data.

The second campaign attributed to UTA0355 involves the use of compromised Ukrainian government email accounts to begin the attack. The goal here is to register a new device within the victim’s Azure AD environment, making it possible for attackers to bypass multi-factor authentication (MFA) and retain persistent access to the organization’s network.

Both attack types take advantage of the legitimate OAuth 2.0 flow and Microsoft’s trusted applications, which complicates detection and prevention for both individuals and security teams. The malicious actions are masked by the use of official Microsoft pages, and the attackers rely on victims unknowingly sending authentication codes via secure messaging apps.

These attacks present serious challenges in detection. Volexity advises organizations to watch for suspicious login activity, particularly involving Visual Studio Code client IDs, and to monitor for any new device registration events within Entra ID. They also recommend educating users on the risks of sharing authentication codes or URLs, even when they appear to come from secure platforms.

As humanitarian organizations and NGOs continue to rely on Microsoft 365 for sensitive communications, the growing risk of OAuth abuse becomes more significant. Despite existing security measures, the attackers’ ability to bypass traditional defenses highlights the need for heightened security awareness and more robust technical safeguards.

Volexity has assessed with medium confidence that these groups are linked to Russian cyber operations, based on the targets and techniques used. The sophistication of these campaigns and the shifting attack methods underscore the need for organizations to remain vigilant and proactive in their defense strategies.

What Undercode Says:

This evolving threat landscape reveals the increasing sophistication of cyberattacks, with adversaries continuously refining their strategies to exploit widely used services like Microsoft 365. The transition from traditional phishing to the abuse of OAuth 2.0 workflows signals a troubling trend, as attackers adapt to circumvent increasingly robust defenses.

One of the most concerning aspects of these attacks is the seamless integration of malicious actions within the legitimate Microsoft environment. Because everything occurs on Microsoft’s official pages—using trusted applications—detection becomes incredibly challenging. This represents a growing problem for organizations that rely on Microsoft services but lack the necessary vigilance to identify these subtler forms of attack.

The social engineering techniques employed by these threat actors are particularly concerning. By initiating contact through secure messaging apps and posing as credible individuals, the attackers leverage psychological manipulation to trick victims into handing over sensitive data. This highlights the importance of human awareness in cybersecurity. No matter how advanced the technical defenses are, human error remains a significant vulnerability.

Moreover, the ability of these groups to use OAuth-based intrusions to gain persistent access and bypass multi-factor authentication (MFA) is particularly alarming. The use of Microsoft’s Entra ID and Device Registration Service to create new devices within a victim’s environment allows attackers to establish long-term access. Once they gain this foothold, they can navigate around additional security layers, making them harder to remove.

Organizations that deal with sensitive topics, such as human rights and geopolitical issues, are especially vulnerable. These groups are targeted because they are likely to have high-value data related to international relations, government policies, and humanitarian efforts. As these entities often face budget and resource constraints, they may lack the necessary technical expertise or infrastructure to defend against such sophisticated attacks.

In addition, the continued use of OAuth 2.0 flows by attackers suggests that this method could become a preferred tactic for cybercriminals moving forward. Its success is rooted in its ability to use legitimate services, like Microsoft 365, to execute attacks in a way that bypasses many traditional defenses. As a result, organizations must evolve their security measures to include monitoring for unauthorized OAuth activity and educating their staff on the potential risks.

Ultimately, organizations must prioritize awareness and vigilance in the face of these sophisticated threats. While technical defenses such as endpoint detection and response (EDR) and advanced authentication protocols like MFA are crucial, they are not foolproof. To stay ahead of these threats, a proactive approach that combines robust technical defenses with comprehensive user training is essential.

Fact Checker Results:

Volexity’s findings have been corroborated by other cybersecurity reports, affirming the link between UTA0352 and UTA0355 and Russian-affiliated threat actors.
The OAuth abuse techniques outlined align with previously observed methods used by sophisticated hacker groups targeting high-value sectors.
Recommendations on mitigating these threats, such as monitoring OAuth workflows and educating users, have been widely endorsed by cybersecurity experts.