Russian Hackers Target Ukraine Allies via Microsoft OAuth Exploit

In a bold new cyber espionage campaign, Russian threat actors are exploiting legitimate OAuth 2.0 authentication processes to hijack Microsoft 365 accounts belonging to employees of organizations connected to Ukraine and human rights.

Tracking this activity since early March, Cybersecurity firm Volexity reported that the attackers used advanced social engineering to lure victims via WhatsApp and Signal. The attackers have been identified as UTA0352 and UTA0355. Hackers, disguised as European/Ukrainian officials, initiated contact discussing Ukraine-related matters at first. Soon, they followed up by sending a malicious link or PDF containing a phishing URL.

Also read : Microsoft’s AI Bet Is Paying Off – Here’s the Data to Prove It

These URLs redirect victims to what appears to be a Visual Studio Code login page, hosted on insiders.vscode.dev. Here, users are tricked into authenticating their Microsoft accounts through OAuth. Once they do, a 60-day valid authorization code is released. Shockingly, this code is also visible in the browser’s address bar, which lets hackers gain complete access to the user’s Microsoft 365 resources.

In one instance, the attack came from a hacked Ukrainian government account. Given the ongoing geopolitical conflicts, such incidents further make scams more and more frightening.

In another recent headline, a group of top CISOs, including Microsoft’s, pushed for global cybersecurity rules to stop laws from slowing threat response.