Volexity, an American cybersecurity company, reports that it has discovered a wave of Russian cyberattacks against Microsoft 365 accounts. The cybercriminals are targeting employees of organizations linked to Ukraine and human rights.
To take control of the accounts, the hackers begin by impersonating officials from European countries or Ukrainian diplomats. They then contact their targets through instant messaging services, such as WhatsApp or Signal. The message sent is an invitation to an online conference on Microsoft Teams.
An OAuth-based phishing attack
To join the video conference, the target is invited to identify themselves via an OAuth page. As a reminder, Microsoft 365 uses the OAuth protocol for authentication to online services. This system allows applications to access protected resources without having to know or store the user's password.
The hackers slip instructions into a PDF file, along with the malicious URL. This will request an authentication code. Hackers claim that the code is required to participate in the meeting. This is an OAuth authorization code that is valid for 60 days. This code then allows the attacker to generate an access token. With this token, they can access all Microsoft 365 services to which the user normally has access: emails, files, calendar, Teams, etc. In other words, the attacker can impersonate the user in their professional environment. By trying to log in, the targets will therefore open access to their tools to Russian hackers. They can thus seize a mountain of sensitive data. The operation is based on social engineering. According to Volexity researchers, the campaign has been ongoing since March 2025. A similar phishing campaign emerged in April, orchestrated by another Russian cybercriminal gang. Similar attacks were also detected a few weeks earlier, in February, against sensitive Microsoft 365 accounts.
Source: Volexity
0 Comments