Since early March 2025, multiple Russia-linked cyber threat groups have launched highly targeted attacks aiming to gain unauthorized access to Microsoft 365 accounts belonging to individuals and organizations aligned with Ukraine and human rights efforts. According to cybersecurity firm Volexity, these operations mark a shift from previously known techniques like device code phishing, as threat actors refine their methods to stay undetected.
The latest campaigns rely on advanced social engineering, particularly through one-on-one interactions over messaging apps like Signal and WhatsApp. Victims are approached under the guise of European officials inviting them to video calls or private meetings regarding Ukraine-related matters. These attackers impersonate credible figures and send victims links that appear to be legitimate Microsoft 365 login pages.
The core of the attack abuses Microsoft’s OAuth 2.0 authentication flow. Victims are tricked into providing Microsoft-generated authorization codes, which the hackers then use to gain access to their accounts. Two threat clusters, UTA0352 and UTA0355, are suspected to be responsible. Notably, UTA0355 used a compromised Ukrainian government email address to enhance credibility.
The hackers cleverly use Microsoft’s own infrastructure—such as redirecting victims to Visual Studio Code online (insiders.vscode[.]dev) or spoofed redirect URLs like vscode-redirect.azurewebsites[.]net—to extract the authorization tokens. In some cases, they register new devices to the victim’s Microsoft Entra ID (formerly Azure AD) and follow up with a second wave of deception to bypass two-factor authentication (2FA), enabling full account takeover.
To avoid detection, attackers route their activity through proxy networks that mimic the target’s geolocation. Since the entire interaction leverages official Microsoft URLs and applications, traditional security tools often fail to flag the behavior as malicious.
Mitigation Recommendations:
- Audit newly registered devices regularly
- Train users to be cautious of unsolicited messages on messaging platforms
- Enforce conditional access policies that limit account access to approved devices
As Volexity warns, the use of trusted Microsoft infrastructure without attacker-controlled components makes these campaigns particularly challenging to detect and prevent.