TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

mindgrub · 2025-04-22 · Read original ↗

ATT&CK techniques detected

52 predictions
T1566.002Spearphishing Link
100%
“easily be discovered or later examined. the initial email that was sent to various targets is shown in the image below. not long after this email was sent to various targets, the follow - up message from uta0355 referencing the email was sent via signal or whatsapp ; an example o…”
T1566.002Spearphishing Link
99%
“later examined. the initial email that was sent to various targets is shown in the image below. not long after this email was sent to various targets, the follow - up message from uta0355 referencing the email was sent via signal or whatsapp ; an example of which is shown below. …”
T1566.002Spearphishing Link
98%
“ukraine. the messages claimed to be from european political officials and were themed around discussing matters involving ukraine. in each observed instance, the call to action was to arrange a meeting between the target and a political official, or ambassador, of the european co…”
T1566.002Spearphishing Link
98%
“this campaign uses similar techniques to those employed by uta0352, volexity currently tracks these attacks separately and attributes this activity to a threat actor it has labeled uta0355. multi - stage social engineering unlike the attacks that volexity observed from uta0352, t…”
T1566.002Spearphishing Link
98%
“##flows the workflow the older campaign variation initiates is similar to the initially observed campaign. if a user is logged in, they are redirected to vscode - redirect. azurewebsites. net, which in turn redirects to a local ip address ( 127. 0. 0. 1 ). when this happens, inst…”
T1566.002Spearphishing Link
97%
“techniques to those employed by uta0352, volexity currently tracks these attacks separately and attributes this activity to a threat actor it has labeled uta0355. multi - stage social engineering unlike the attacks that volexity observed from uta0352, this new phishing campaign s…”
T1566.002Spearphishing Link
96%
“attempt to a romanian government service. this is a theme repeated in other phishing attacks as an effort to make the links appear legitimate. the diagram below shows the overall workflow followed by the attacker to target users leveraging the visual studio code first - party app…”
T1566.002Spearphishing Link
96%
“. 0 authentication workflows the workflow the older campaign variation initiates is similar to the initially observed campaign. if a user is logged in, they are redirected to vscode - redirect. azurewebsites. net, which in turn redirects to a local ip address ( 127. 0. 0. 1 ). wh…”
T1566.002Spearphishing Link
96%
“on issues related to ukraine. the messages claimed to be from european political officials and were themed around discussing matters involving ukraine. in each observed instance, the call to action was to arrange a meeting between the target and a political official, or ambassado…”
T1566.002Spearphishing Link
94%
“##ity observed uta0352 impersonating individuals representing the following countries and affiliations : mission of ukraine to the european union permanent delegation of the republic of bulgaria to nato permanent representation of romania to the european union based on other obse…”
T1566.002Spearphishing Link
91%
“phishing campaigns, and the supplied instructions involved sending a code back to the attacker. however, unlike the previously observed attacks, these urls were not associated with device code authentication workflows. instead, these urls pointed to other microsoft oauth 2. 0 aut…”
T1528Steal Application Access Token
90%
“##469 - 4536 - ade2 - f981bc1d605e & resource = 01cb2876 - 7ebd - 4aa4 - 9cc9 - d28bd4d359a9 & response _ type = code & redirect _ uri = https % 3a % 2f % 2flogin. microsoftonline. com % 2fwebapp % 2fclouddomainjoin % 2f8 & amr _ values = ngcmfa & login _ hint = < email @ address…”
T1528Steal Application Access Token
88%
“##98 - a469 - 4536 - ade2 - f981bc1d605e & resource = 01cb2876 - 7ebd - 4aa4 - 9cc9 - d28bd4d359a9 & response _ type = code & redirect _ uri = https % 3a % 2f % 2flogin. microsoftonline. com % 2fwebapp % 2fclouddomainjoin % 2f8 & amr _ values = ngcmfa & login _ hint = < email @ a…”
T1528Steal Application Access Token
88%
“/ webapp / clouddomainjoin / 8? code = [ redacted ] & session _ state = [ redacted ] by sharing this url with the attacker, the victim would unknowingly hand over all the information required to authenticate as themselves. this is similar to other observed and suspected attack ca…”
T1566.002Spearphishing Link
84%
“. it is plausible that there are overlaps between these threat actors and those volexity previously reported as conducting device code authentication phishing campaigns in january and february 2025. this blog post details the different techniques used by these threat actors and t…”
T1566.002Spearphishing Link
82%
“that there are overlaps between these threat actors and those volexity previously reported as conducting device code authentication phishing campaigns in january and february 2025. this blog post details the different techniques used by these threat actors and the commonalities b…”
T1528Steal Application Access Token
82%
“##online. com / webapp / clouddomainjoin / 8? code = [ redacted ] & session _ state = [ redacted ] by sharing this url with the attacker, the victim would unknowingly hand over all the information required to authenticate as themselves. this is similar to other observed and suspe…”
T1566.002Spearphishing Link
82%
“signal. volexity observed uta0352 impersonating individuals representing the following countries and affiliations : mission of ukraine to the european union permanent delegation of the republic of bulgaria to nato permanent representation of romania to the european union based on…”
T1528Steal Application Access Token
81%
“it is for the device registration service. this service is used by windows to join new devices to entra id. the attacker would use this access to join a new device named desktop - [ redacted ] to the victim ’ s entra id. volexity was able to use the roadtools project to replicate…”
T1525Implant Internal Image
80%
“is an oauth 2. 0 authorization code that can be used for up to 60 days. this code can be submitted to microsoft ’ s oauth workflow for an access token, which can then be used to access the m365 graph api. since the original request asked for the user ’ s default access rights, an…”
T1528Steal Application Access Token
79%
“api ; instead, it is for the device registration service. this service is used by windows to join new devices to entra id. the attacker would use this access to join a new device named desktop - [ redacted ] to the victim ’ s entra id. volexity was able to use the roadtools proje…”
T1078.004Cloud Accounts
79%
“api ; instead, it is for the device registration service. this service is used by windows to join new devices to entra id. the attacker would use this access to join a new device named desktop - [ redacted ] to the victim ’ s entra id. volexity was able to use the roadtools proje…”
T1078.004Cloud Accounts
76%
“it is for the device registration service. this service is used by windows to join new devices to entra id. the attacker would use this access to join a new device named desktop - [ redacted ] to the victim ’ s entra id. volexity was able to use the roadtools project to replicate…”
T1566.002Spearphishing Link
76%
“look like an authentication attempt to a romanian government service. this is a theme repeated in other phishing attacks as an effort to make the links appear legitimate. the diagram below shows the overall workflow followed by the attacker to target users leveraging the visual s…”
T1078.004Cloud Accounts
72%
“april 2025, volexity identified another new microsoft 365 oauth phishing campaign. this time, the campaign started with an email from a legitimate, compromised ukrainian government email account, which was then followed by messages sent via signal and whatsapp. the emails and fol…”
T1525Implant Internal Image
71%
“studio code dialog is an oauth 2. 0 authorization code that can be used for up to 60 days. this code can be submitted to microsoft ’ s oauth workflow for an access token, which can then be used to access the m365 graph api. since the original request asked for the user ’ s defaul…”
T1078.004Cloud Accounts
70%
“volexity identified another new microsoft 365 oauth phishing campaign. this time, the campaign started with an email from a legitimate, compromised ukrainian government email account, which was then followed by messages sent via signal and whatsapp. the emails and follow - up mes…”
T1566.002Spearphishing Link
69%
“and the supplied instructions involved sending a code back to the attacker. however, unlike the previously observed attacks, these urls were not associated with device code authentication workflows. instead, these urls pointed to other microsoft oauth 2. 0 authentication workflow…”
T1078.004Cloud Accounts
64%
“to gain access to their email. post - compromise activity volexity assesses with high confidence that the attacker required the victim to approve a 2fa request to access email items. in logs reviewed by volexity, initial device registration was successful shortly after interactin…”
T1566.002Spearphishing Link
64%
“was sent to the target. the image below shows the two - page pdf document purporting to be from the romanian ministry of foreign affairs. the url shared by uta0352 had the following format : https : / / login. microsoftonline [. ] com / organizations / oauth2 / v2. 0 / authorize?…”
T1566.002Spearphishing Link
57%
“phishing for codes : russian threat actors target microsoft 365 oauth workflows since early march 2025, volexity has observed multiple suspected russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the microsoft 365 ( m365 ) ac…”
T1566.002Spearphishing Link
53%
“primary tactics observed involve the attacker requesting victim ’ s supply microsoft authorization codes, which grant the attacker with account access to then join attacker - controlled devices to entra id ( previously azure ad ), and to download emails and other account - relate…”
T1566.002Spearphishing Link
52%
“to reach out to volexity via our contact form. we would be glad to assess any potential targeting and assist in determining if such an attack may have succeeded. acknowledgements volexity would like to thank its customers for their vigilance, cooperation, hard work, and dedicatio…”
T1566.002Spearphishing Link
51%
“volexity identified another new microsoft 365 oauth phishing campaign. this time, the campaign started with an email from a legitimate, compromised ukrainian government email account, which was then followed by messages sent via signal and whatsapp. the emails and follow - up mes…”
T1566.002Spearphishing Link
45%
“april 2025, volexity identified another new microsoft 365 oauth phishing campaign. this time, the campaign started with an email from a legitimate, compromised ukrainian government email account, which was then followed by messages sent via signal and whatsapp. the emails and fol…”
T1528Steal Application Access Token
44%
“volexity identified another new microsoft 365 oauth phishing campaign. this time, the campaign started with an email from a legitimate, compromised ukrainian government email account, which was then followed by messages sent via signal and whatsapp. the emails and follow - up mes…”
T1525Implant Internal Image
43%
“described in the microsoft oauth documentation ; for convenience, they are briefly described below : parameter description state a value to denote the user ’ s state in the application before the request occurred client _ id the application that made the request scope the access …”
T1528Steal Application Access Token
43%
“phishing campaigns, and the supplied instructions involved sending a code back to the attacker. however, unlike the previously observed attacks, these urls were not associated with device code authentication workflows. instead, these urls pointed to other microsoft oauth 2. 0 aut…”
T1525Implant Internal Image
43%
“the url are described in the microsoft oauth documentation ; for convenience, they are briefly described below : parameter description state a value to denote the user ’ s state in the application before the request occurred client _ id the application that made the request scope…”
T1528Steal Application Access Token
41%
“primary tactics observed involve the attacker requesting victim ’ s supply microsoft authorization codes, which grant the attacker with account access to then join attacker - controlled devices to entra id ( previously azure ad ), and to download emails and other account - relate…”
T1566.002Spearphishing Link
39%
“the current situation these individuals and organizations are facing in the form of budget cuts and reduced staffing. similar to the device code authentication phishing campaigns that volexity reported in february 2025, these recent campaigns benefit from all user interactions ta…”
T1528Steal Application Access Token
39%
“april 2025, volexity identified another new microsoft 365 oauth phishing campaign. this time, the campaign started with an email from a legitimate, compromised ukrainian government email account, which was then followed by messages sent via signal and whatsapp. the emails and fol…”
T1528Steal Application Access Token
36%
“that there are overlaps between these threat actors and those volexity previously reported as conducting device code authentication phishing campaigns in january and february 2025. this blog post details the different techniques used by these threat actors and the commonalities b…”
T1566.002Spearphishing Link
36%
“##ly crafted url was sent to the target. the image below shows the two - page pdf document purporting to be from the romanian ministry of foreign affairs. the url shared by uta0352 had the following format : https : / / login. microsoftonline [. ] com / organizations / oauth2 / v…”
T1078.004Cloud Accounts
36%
“##469 - 4536 - ade2 - f981bc1d605e & resource = 01cb2876 - 7ebd - 4aa4 - 9cc9 - d28bd4d359a9 & response _ type = code & redirect _ uri = https % 3a % 2f % 2flogin. microsoftonline. com % 2fwebapp % 2fclouddomainjoin % 2f8 & amr _ values = ngcmfa & login _ hint = < email @ address…”
T1078.004Cloud Accounts
36%
“their email. post - compromise activity volexity assesses with high confidence that the attacker required the victim to approve a 2fa request to access email items. in logs reviewed by volexity, initial device registration was successful shortly after interacting with the attacke…”
T1111Multi-Factor Authentication Interception
34%
“api ; instead, it is for the device registration service. this service is used by windows to join new devices to entra id. the attacker would use this access to join a new device named desktop - [ redacted ] to the victim ’ s entra id. volexity was able to use the roadtools proje…”
T1078.004Cloud Accounts
33%
“primary tactics observed involve the attacker requesting victim ’ s supply microsoft authorization codes, which grant the attacker with account access to then join attacker - controlled devices to entra id ( previously azure ad ), and to download emails and other account - relate…”
T1528Steal Application Access Token
33%
“described in the microsoft oauth documentation ; for convenience, they are briefly described below : parameter description state a value to denote the user ’ s state in the application before the request occurred client _ id the application that made the request scope the access …”
T1078.004Cloud Accounts
32%
“##98 - a469 - 4536 - ade2 - f981bc1d605e & resource = 01cb2876 - 7ebd - 4aa4 - 9cc9 - d28bd4d359a9 & response _ type = code & redirect _ uri = https % 3a % 2f % 2flogin. microsoftonline. com % 2fwebapp % 2fclouddomainjoin % 2f8 & amr _ values = ngcmfa & login _ hint = < email @ a…”
T1078.004Cloud Accounts
31%
“##online. com / webapp / clouddomainjoin / 8? code = [ redacted ] & session _ state = [ redacted ] by sharing this url with the attacker, the victim would unknowingly hand over all the information required to authenticate as themselves. this is similar to other observed and suspe…”
T1528Steal Application Access Token
31%
“and the supplied instructions involved sending a code back to the attacker. however, unlike the previously observed attacks, these urls were not associated with device code authentication workflows. instead, these urls pointed to other microsoft oauth 2. 0 authentication workflow…”

Summary

Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted […]

The post Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows appeared first on Volexity.