Russian hackers are exploiting legitimate OAuth 2.0 authentication processes to take over Microsoft 365 accounts belonging to employees of organizations connected to Ukraine and human rights.
The hackers pose as officials from European countries and approach their targets via WhatsApp and Signal messaging apps. The goal is to trick potential victims into handing over Microsoft authorization codes that grant access to accounts or into clicking on malicious links that collect login credentials and one-time access codes.
Cybersecurity company Volexity has been observing this activity since early March. This was shortly after a similar operation reported by Volexity and Microsoft in February. At that time, cybercriminals used phishing via Device Code Authentication to steal Microsoft 365 accounts. Volexity is tracking the threat actors behind both campaigns under the names UTA0352 and UTA0355. The company estimates that both originate from Russia.
Ukrainian government account hacked
In a report published today, the researchers describe how the attack begins with a message via Signal or WhatsApp. The message was sent from a hacked Ukrainian government account in one case.
The attacker posed as a European political official or a Ukrainian diplomat and invited the target to a private video call about Ukraine-related matters. Once contact was established, the attacker sent a phishing URL based on OAuth, supposedly needed to participate in the video call.
UTA0352 can also send instructions in the form of a PDF file. This is accompanied by a malicious URL that directs the victim to a login page for Microsoft and third-party apps that use Microsoft 365 OAuth processes. After authentication, the victim is redirected to an in-browser version of Visual Studio Code, hosted on insiders.vscode.dev. This landing page can receive Microsoft 365 login parameters, including OAuth. The victim is then presented with a dialog box.
Social engineering
Through social engineering, the attacker attempts to persuade the victim to send back the code, under the pretext that it is needed to participate in the conversation.
In reality, this string is an authorization code valid for 60 days and can be used to obtain an access token for all resources the user normally has access to.
According to Volexity, it was striking that this code was also visible in the browser URI address bar. Visual Studio Code appeared to be designed in such a way that it was easier to copy and share the code, whereas other applications would simply display a blank page in such cases.