Russian Cyberattack Campaigns Exploit OAuth 20 to Hijack Microsoft 365 Accounts

Listen to this Post

Featured Image
The rise of cybercrime is not just a distant threat but a tangible reality that threatens national security, human rights, and the operations of international organizations. In recent months, Russian threat actors have targeted organizations related to Ukraine, human rights, and European governmental entities. These attackers have exploited legitimate OAuth 2.0 workflows to hijack Microsoft 365 accounts using sophisticated tactics to steal login credentials and authorization codes. The campaigns, linked to two identified groups—UTA0352 and UTA0355—rely on impersonation tactics and social engineering to bypass security protocols and gain unauthorized access.

The threat actors have targeted employees within organizations working on Ukraine-related affairs and human rights issues, using trusted communication platforms like WhatsApp and Signal to trick victims into sharing sensitive information. This article delves into the details of how these cybercriminals operate and how organizations can safeguard their digital assets against such attacks.

Summary

Russian threat actors have been targeting Microsoft 365 accounts linked to Ukraine and human rights organizations through the abuse of OAuth 2.0 authentication workflows. These attackers impersonate officials from European governments and contact potential victims via messaging platforms like WhatsApp and Signal. Their goal is to deceive victims into providing Microsoft authorization codes, which grant access to their accounts, or to click on malicious links designed to steal login credentials and one-time access codes.

Volexity, a cybersecurity company, has been tracking these campaigns since early March. This follows a similar phishing operation reported in February, where Device Code Authentication was used to steal Microsoft 365 accounts. Volexity associates these attacks with two threat actor groups, UTA0352 and UTA0355, both believed to be Russian in origin.

The attack begins with a message from the attacker, who impersonates a European political figure or Ukrainian diplomat. The attacker lures the target by offering an invitation to a private video meeting on Ukraine-related matters. Once the communication is established, the attacker sends a link to a phishing page, disguised as an OAuth authentication request for joining the meeting.

In some cases, UTA0352 uses a PDF with instructions to join the meeting, alongside a malicious link designed to collect Microsoft 365 login credentials. The victim, after clicking on the link, is directed to a page that appears to be Visual Studio Code but is actually a malicious phishing page. When the victim logs in, they inadvertently share an authorization code, which is then captured by the attackers.

This authorization code is valid for 60 days, allowing the attacker to obtain access tokens to the victim’s Microsoft 365 account. The attacker may also register a new device to the victim’s account and attempt to bypass two-factor authentication (2FA) by using social engineering tactics. If successful, this allows them long-term access to sensitive information, including emails and files.

The second phase of the campaign, linked to UTA0355, follows a similar path but involves additional steps. The attacker uses a compromised Ukrainian government email account to initiate contact, and once the victim shares their OAuth authorization code, the attacker registers a new device to the victim’s Microsoft Entra ID (formerly Azure Active Directory). Once the device is registered, the attacker attempts to bypass 2FA by claiming that the code is needed for access to a SharePoint instance. If successful, the attacker gains prolonged access to the victim’s account.

Volexity has advised organizations to implement security measures, such as setting up alerts for logins using Visual Studio Code client IDs and blocking access to malicious sites like ‘insiders.vscode.dev’ and ‘vscode-redirect.azurewebsites.net’. Additionally, setting conditional access policies to limit access to only approved devices is crucial in defending against these attacks.

What Undercode Say:

This form of attack demonstrates a concerning level of sophistication. The attackers’ use of trusted communication platforms such as WhatsApp and Signal, combined with the impersonation of European officials or diplomats, adds a layer of credibility that significantly increases the likelihood of success. By leveraging OAuth 2.0—an otherwise legitimate and secure authentication protocol—the attackers are able to exploit vulnerabilities in the system without needing to directly break through firewalls or brute-force passwords.

The reliance on social engineering is also a major factor in the success of these campaigns. By luring victims into thinking they are accessing a legitimate video conference related to Ukraine, the attackers create a sense of urgency and trust. This method of phishing is not only highly effective but also difficult to detect, as it does not rely on traditional malware but on exploiting the inherent trust users have in communication platforms and familiar workflows.

The OAuth 2.0 exploitation is especially concerning because it involves the theft of authorization codes that grant the attacker access to a wide range of resources associated with the victim’s Microsoft 365 account. OAuth, typically used to grant third-party applications access to user data without sharing passwords, is generally considered secure. However, by tricking users into providing authorization codes through social engineering, the attackers bypass the security features OAuth typically offers.

One of the most alarming aspects of this attack is the ability of the threat actors to maintain persistent access to the victim’s account. Once a device is registered to the victim’s Microsoft Entra ID, the attackers can continue to manipulate the victim’s account long after the initial phishing attempt. The use of two-factor authentication (2FA) to further compromise the account highlights the sophistication of the attackers, who understand the necessity of overcoming multiple layers of security.

Organizations, especially those in high-risk sectors like human rights or international relations, need to take these threats seriously. This attack is a stark reminder of the evolving nature of cybercrime and the need for continuous vigilance and up-to-date security measures. Moreover, the exploitation of legitimate tools—like OAuth 2.0 and Visual Studio Code—shows that even trusted platforms can be weaponized if users are not cautious.

Fact Checker Results:

Volexity’s findings regarding the attack are consistent with previous research into Russian cyberattack methods, notably their use of phishing and social engineering tactics. The details about the use of OAuth 2.0 and Visual Studio Code match known attack patterns, making this campaign a credible threat. Organizations must prioritize security updates and enforce strict login protocols to protect against similar future threats.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram