Full Report
Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees of organizations related to Ukraine and human rights. [...]
Analysis Summary
# Threat Actor: UTA0355 / UTA0352 (Associated or Related Actors)
## Attribution & Identity
The article primarily discusses a recent phishing campaign attributed by Volexity researchers to **UTA0355**. A similar older variation of the attack is noted as being associated with **UTA0352**. The activity is linked to **Russian threat actors**. No definitive malware family is named, but the core of the attack relies on abusing legitimate OAuth 2.0 workflows. Historical activity referenced includes a previous campaign by UTA0355 which involved registration of a new device.
## Activity Summary
The primary activity described is a phishing campaign, active in April, targeting Microsoft 365 accounts by abusing OAuth 2.0 authorization workflows (specifically using AzureAD v2.0). A key element of this specific campaign was the use of a **Visual Studio Code first-party application** to facilitate the phishing and code extraction. The actors compromised a Ukrainian government email account to initiate contact in the April campaign. Once they obtained the authorization code, they registered a new device to the victim’s Microsoft Entra ID. The final step involved social engineering the victim (e.g., claiming the 2FA code was needed for a SharePoint instance) to approve an ensuing 2FA request, granting the attacker a session token and persistent access via the newly registered device.
## Tactics, Techniques & Procedures
- **OAuth 2.0 Abuse:** Exploiting OAuth 2.0 authorization flows for initial access.
- **Client ID Abuse:** Leveraging the 'Visual Studio Code' client ID during the phishing process ($\text{client\_id}=ms-vscode.vsce$).
- **Device Registration:** Registering a new device to the victim's Microsoft Entra ID to maintain persistence.
- **Social Engineering:** Tricking victims into approving a 2FA request by providing a fabricated reason (e.g., accessing a required SharePoint instance).
- **Authorization Code Phishing:** Stealing the OAuth authorization code.
- **URL Parameter Manipulation:** Variations noted in URL parameters based on whether AzureAD v1.0 or v2.0 was targeted.
No specific MITRE ATT&CK IDs were explicitly mentioned in the provided text.
## Targeting
- **Sectors:** Not explicitly named for the current campaign, but the initial contact came from a **Ukrainian government email account**, suggesting government entities may be a target sector. The overall target is organizations using **Microsoft 365**.
- **Geography:** The compromise of a **Ukrainian government email account** suggests targeting related to that geography, though the threat actors are noted as Russian.
- **Victims:** Organizations utilizing Microsoft 365 accounts.
## Tools & Infrastructure
- **Malware Families Used:** None explicitly named. The exploitation relies on abusing legitimate application integration (Visual Studio Code application).
- **Infrastructure:**
- Use of the legitimate Visual Studio Code first-party application flow.
- Mentions of URLs to block: '$\text{insiders.vscode.dev}$' and '$\text{vscode-redirect.azurewebsites.net}$' (Defanged: $\text{insiders[.]vscode[.]dev}$ and $\text{vscode-redirect[.]azurewebsites[.]net}$).
## Implications
This attack demonstrates an advanced reliance on **"living off the land"** techniques by abusing legitimate, trusted application authorization flows (OAuth 2.0) within Microsoft 365/Entra ID. The successful registration of a device alongside gaining a session token allows for long-term unauthorized access, bypassing traditional perimeter defenses. The use of social engineering to bypass MFA highlights the continued criticality of user security awareness, even in highly federated environments.
## Mitigations
- Set up security alerts for logins using the Visual Studio Code $\text{client\_id}$ ($\text{ms-vscode.vsce}$).
- Block access to known phishing infrastructure URLs: $\text{insiders[.]vscode[.]dev}$ and $\text{vscode-redirect[.]azurewebsites[.]net}$.
- Implement **Conditional Access Policies** to limit access to only approved and known devices.