Full Report
Multiple suspected Russia-linked threat actors are "aggressively" targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025. The highly targeted social engineering operations, per Volexity, are a shift from previously documented attacks that leveraged a technique known as device code
Analysis Summary
# Threat Actor: UTA0352 and UTA0355 (Suspected Russia-linked)
## Attribution & Identity
* **Attribution:** Suspected Russia-linked threat actors.
* **Aliases/Associated Groups:** At least two distinct clusters, **UTA0352** and **UTA0355**, were observed. Possibility of relation to APT29, UTA0304, and UTA0307 has not been ruled out.
## Activity Summary
Threat actors have been "aggressively" targeting individuals and organizations linked to Ukraine and human rights advocacy since early March 2025. The operations utilize highly targeted social engineering to gain unauthorized access to Microsoft 365 accounts.
* **UTA0352:** Focuses on convincing victims to click links that redirect to official Microsoft 365 login portals, leading the user to authenticate and share a Microsoft-generated OAuth code. The process often involves redirecting the authenticated session to an in-browser Visual Studio Code interface (`insiders.vscode[.]dev`) where the token is displayed for the actor to obtain. An older variation redirected users to `vscode-redirect.azurewebsites[.]net`, which resolved to localhost, requiring the victim to share the entire URL containing the code.
* **UTA0355:** Similar to UTA0352 but uses a compromised Ukrainian Government email account to send spear-phishing emails, followed by contact via Signal/WhatsApp regarding conferences on Ukrainian investment/atrocity crimes. After obtaining the OAuth authorization code, UTA0355 registers a new, persistent device to the victim's Microsoft Entra ID. The actor then executes a second social engineering phase to trick the victim into approving a subsequent 2FA prompt, purportedly to "gain access to a SharePoint instance," allowing full account takeover.
## Tactics, Techniques & Procedures
- **Impersonation:** Impersonating officials from various European nations.
- **Social Engineering:** Heavy reliance on one-on-one interaction via messaging apps (Signal, WhatsApp) to build trust and convince targets to click links and share sensitive codes.
- **Credential/MFA Bypass:** Abusing legitimate Microsoft OAuth 2.0 Authentication workflows (Microsoft first-party applications) to acquire authorization codes.
- **Code Collection Methods:** Presenting the OAuth code in the URI after redirecting to Visual Studio Code web interface or requiring the victim to share the full URL from a blank page (older iteration).
- **Persistence:** UTA0355 specifically registered a new device to the victim's Entra ID post-authentication.
- **MFA Approval Solicitation:** UTA0355 specifically engineered a social engineering step to harvest a live 2FA approval.
- **Infrastructure Use:** All user interactions take place strictly on Microsoft’s official infrastructure; no attacker-hosted infrastructure was observed for the primary phishing/token collection phases.
## Targeting
* **Sectors:** Individuals and organizations with ties to Ukraine and human rights advocacy.
* **Geography:** Likely targeting entities operating within or related to European nations and Ukraine.
* **Victims:** Individuals who interact with figures/events related to Ukrainian political or legal matters.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly mentioned, but the methodology relies on abusing native Microsoft systems.
* **Infrastructure (C2, domains, IPs):**
* Redirects used official Microsoft 365 infrastructure.
* `insiders.vscode[.]dev` (Used to display the token).
* `vscode-redirect.azurewebsites[.]net` (Observed in an older iteration).
* `127.0.0.1` (Observed in an older iteration directing back to localhost).
## Implications
These campaigns represent a sophisticated evolution in Russian-linked threat actor tradecraft. By exclusively leveraging legitimate Microsoft OAuth 2.0 workflows and first-party applications (which are pre-approved), the attacks bypass crucial security controls that typically flag attacker-controlled OAuth applications or external infrastructure. This makes detection and prevention significantly more difficult for organizations relying on standard OAuth protection mechanisms. The shift emphasizes high-touch social engineering over automated phishing.
## Mitigations
- Audit and review newly registered devices within Microsoft Entra ID (Azure AD).
- Implement strict Conditional Access policies that restrict resource access to only approved or managed devices.
- Increase user education regarding unsolicited contacts (Signal/WhatsApp) purporting to represent officials, particularly when requests involve sharing verification or authorization codes.
- Monitor for unusual device registration activities following initial authentication attempts.