TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks

Kristel Faris · 2025-12-04 · Read original ↗

ATT&CK techniques detected

15 predictions
T1566.002Spearphishing Link
100%
“attacker then engaged the user using rapport - building phishing, first engaging them in a benign conversation, and later sending an invite to register for resources tied to the belgrade security conference, as shown below : the hyperlink in the email above led to a microsoft - o…”
T1566.002Spearphishing Link
99%
“phishing email leading to an oauth authentication workflow. the email had come from an account the user had recently corresponded with, and it was a continuation of an existing and legitimate thread related to the upcoming belgrade security conference in serbia. this method of ph…”
T1566.002Spearphishing Link
98%
“brussels indo - pacific dialogue ( december 2, 2025 ) these campaigns used various methods to ensure success, including the following : rapport - building phishing : the attacker often establishes communications with victims. no malicious content is shared, at first. only later i…”
T1566.002Spearphishing Link
97%
“, which occurs after authentication with microsoft services has been completed. volexity notes that microsoft authentication broker is the same application configured by default in the devicecodephishing project available on github. when volexity provided the attacker with creden…”
T1566.002Spearphishing Link
97%
“such as the content from this blog, is published to customers via its threat intelligence service. the activity described in this blog post was shared with volexity threat intelligence customers in tib - 20251117 & tib - 20251119b. if you are interested in learning more about vol…”
T1566.002Spearphishing Link
97%
“. an example of the initial outreach is shown below. after exchanging a few emails with the targeted user, the sender shared a url in a follow - up email, noting that the user needed to be added to the “ bipd system ” by clicking a malicious url, as shown below. the url shared wi…”
T1566.002Spearphishing Link
97%
“dangerous invitations : russian threat actor spoofs european security events in targeted phishing attacks in early 2025, volexity published two blog posts detailing a new trend among russian threat actors targeting organizations through the abuse of microsoft 365 oauth and device…”
T1566.002Spearphishing Link
96%
“domain name : ustrs. com registry domain id : 2488656711 _ domain _ com - vrsn registrar whois server : whois. dynadot. com registrar url : http : / / www. dynadot. com updated date : 2025 - 10 - 31t14 : 30 : 50. 0z creation date : 2020 - 02 - 05t03 : 19 : 46. 0z registrar regist…”
T1566.002Spearphishing Link
95%
“. volexity suspects this is due to the level of success threat actors are having at breaching accounts in this manner. the campaigns described in this blog post are just a small subset of observed attacks this year, and based on volexity ’ s observations they continue to be quite…”
T1566.002Spearphishing Link
87%
“it can potentially reveal their intrusion when users report the phish to the initially compromised organization. on the other hand, the use of compromised accounts for phishing can lend credibility to an attack, which volexity assesses with medium confidence results in high succe…”
T1566.002Spearphishing Link
70%
“- targeted users will be directed to page with their registration details as shown below. as was the case in the belgrade security conference campaign, subsequent access to compromised accounts takes place via nodes belonging to proxy networks. expanding the target list volexity …”
T1566.002Spearphishing Link
59%
“, which impersonates the belgrade security conference, showed that the attacker used an email account from the obscure email service mailum [. ] com to register the domain, as shown below. investigation of other domains registered with email addresses that used the same service y…”
T1566.002Spearphishing Link
56%
“the attacker, the attacker would set a cookie named cookie _ reg containing a base64 - encoded version of the registrant email. the user would then be redirected to a page indicating they were registered for the conference along with their “ registration ” details. if the provide…”
T1078.004Cloud Accounts
48%
“ngcmfa & amp ; login _ hint = [ user ] after the targeted user completed the login, they landed on a blank webpage whose url contained the oauth token. the attacker asked the user to provide the url under the guise of “ finalizing their registration ” to complete the process. aft…”
T1586.002Email Accounts
31%
“) ; xiaomi. in this specific case, it was notable that the “ iphone ” access was coming from a device claiming to be an android phone. phishing operations expanded not long after this highly targeted operation, volexity observed broader targeting from an attacker - created gmail …”

Summary

In early 2025, Volexity published two blog posts detailing a new trend among Russian threat actors targeting organizations through the abuse of Microsoft 365 OAuth and Device Code authentication workflows to […]

The post Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks appeared first on Volexity.