Since early March 2025, Russian state-aligned threat actors have been conducting sophisticated phishing campaigns targeting organizations with ties to Ukraine and human rights groups. These attacks abuse Microsoft 365’s OAuth 2.0 authentication workflows to gain unauthorized access to victim accounts. Security firm Volexity first documented these campaigns, which involve social engineering via encrypted messaging apps and the theft of Microsoft authorization codes1.
Campaign Overview and Tactics
The attackers, identified as UTA0352 and UTA0355, impersonate European government officials to lure victims. Initial contact occurs through Signal or WhatsApp, where targets receive invitations to fake political meetings or events. The phishing links direct users to legitimate Microsoft domains like login.microsoftonline.com, where victims are tricked into providing OAuth authorization codes2.
Once attackers obtain these codes, they register attacker-controlled devices in the victim’s Entra ID (formerly Azure AD) environment. This provides persistent access even after password changes. Microsoft’s research shows the attackers specifically abuse Visual Studio Code’s OAuth client ID (aebc6443-996d-45c2-90f0-388ff96faa56) to appear legitimate3.
Technical Execution and Detection
The campaign employs multiple sophisticated techniques. Attackers use Microsoft’s own infrastructure to host phishing pages, making detection more difficult. They also leverage compromised Microsoft 365 tenants with spoofed display names to send phishing emails that pass SPF and DKIM checks4.
For detection, security teams should monitor for:
- Anomalous device registrations in Entra ID
- Authentication requests using the Visual Studio Code client ID
- Traffic to
vscode-redirect.azurewebsites.net - Sign-in attempts with
authenticationProtocol: deviceCode
Mitigation Strategies
Microsoft recommends several defensive measures. Organizations should disable the device code flow via Conditional Access policies and restrict device enrollment in Entra ID. For compromised accounts, administrators should use PowerShell’s revokeSignInSessions cmdlet to invalidate active sessions3.
Security teams should also implement monitoring for emails from unknown .onmicrosoft.com tenants and educate users about the risks of sharing authentication codes. The eSentire advisory provides specific detection scripts that can help identify these attacks5.
Broader Implications
This campaign demonstrates how threat actors increasingly abuse legitimate cloud services for malicious purposes. By leveraging Microsoft’s infrastructure, attackers bypass traditional email security controls. The attacks also highlight the risks of OAuth implementation weaknesses, particularly around device code authentication flows6.
Security researchers note this is part of a broader trend of Russian APT groups targeting cloud environments. Similar techniques have been used by groups like APT29 (CozyLarch) and Storm-2372, who have shifted to stealing Primary Refresh Tokens through Microsoft’s Authentication Broker3.
Conclusion
The ongoing exploitation of Microsoft 365 authentication workflows represents a significant threat to organizations worldwide. While Microsoft has provided mitigation guidance, the attacks continue to evolve. Organizations must remain vigilant, implementing both technical controls and user awareness programs to defend against these sophisticated phishing campaigns.
References
- “Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows,” Volexity, Apr. 22, 2025.
- “Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication,” Volexity, Feb. 13, 2025.
- “Storm-2372 Conducts Device Code Phishing Campaign,” Microsoft Security Blog, Feb. 13, 2025.
- “Sophisticated Phishing Campaign Exploiting Microsoft 365 Infrastructure,” Guardz, Mar. 2025.
- “Device Code Authentication Phishing Advisory,” eSentire, 2025.
- “Device Code Phishing: How Storm-2372 Targets Microsoft Users,” IT Pro, Feb. 2025.
