Ethical Hacking News
Microsoft 365 account hijackers have taken advantage of vulnerabilities in OAuth 2.0 workflows, using sophisticated phishing attacks that trick employees into sharing authorization codes or clicking on malicious links. Researchers at Volexity have identified the threat actors and are advising organizations to take specific precautions to protect their Microsoft 365 accounts.
Researchers at Volexity identified a sophisticated threat actor exploiting vulnerabilities in Microsoft's OAuth 2.0 authentication workflows. The attackers impersonate officials from European countries and make contact with victims through WhatsApp and Signal messaging platforms. The attack flow involves phishing emails or messages, clicking on malicious links to collect logins and one-time access codes. The attackers use Visual Studio Code to trick victims into sending authorization codes. The attackers are believed to be Russian-based actors (UTA0352 and UTA0355) with medium confidence in their assessment. Organizations can protect against such attacks by setting up alerts on logins, blocking access to specific URLs, and implementing conditional access policies.
In a recent development that has left cybersecurity experts scrambling to address, researchers at Volexity have identified a sophisticated threat actor exploiting vulnerabilities in Microsoft's OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees from organizations related to Ukraine and human rights. The attack, which was first observed in early March, has all the hallmarks of a highly organized and targeted operation.
According to Volexity researchers, the threat actors are impersonating officials from European countries and making contact with potential victims through WhatsApp and Signal messaging platforms. Their goal is to convince the target to provide Microsoft authorization codes that grant access to their accounts or click on malicious links that collect logins and one-time access codes.
The attack flow, as described by Volexity researchers, begins with a message over Signal or WhatsApp. In some cases, the communication comes from a compromised Ukrainian government account. The attacker then sends an OAuth phishing URL under the pretext of requiring the target to join a private video meeting to discuss Ukraine-related affairs.
In other instances, the attackers share instructions to join the meeting in the form of a PDF file along with a malicious URL crafted to log the user into Microsoft and third-party apps that use Microsoft 365 OAuth workflows. Once the target authenticates, they are redirected to an in-browser version of Visual Studio Code, hosted at insiders.vscode.dev.
The landing page can receive login parameters from Microsoft 365, including OAuth and authorization codes that are valid for 60 days. The attackers then try to trick the victim into sending back these codes under the pretense that it is necessary to join the meeting. However, what makes this attack particularly sophisticated is that the attackers have set up Visual Studio Code to make it easier to extract and share this code.
The researchers simplified the attack flow in their report by highlighting how a user logs in, interacts with the malicious OAuth phishing link, and ultimately receives an authorization code from Microsoft 365. The diagram illustrates how Visual Studio Code appears as a first-party application for obtaining this authorization code:
Login
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
This particular aspect of the attack highlights the complexity and sophistication involved in these attacks.
The attackers, identified by Volexity researchers as UTA0352 and UTA0355, are believed to be Russian-based actors. The researchers assess that they have medium confidence in their assessment.
Volexity notes that this threat is related to a similar campaign observed in February 2025. In this previous incident, which also involved phishing attacks using the Device Code Authentication method to steal Microsoft 365 accounts.
The latest attack has significant implications for organizations with employees who use Microsoft 365 services regularly. To protect against such attacks, Volexity recommends setting up alerts on logins using Visual Studio Code client_id, blocking access to 'insiders.vscode.dev' and 'vscode-redirect.azurewebsites.net', and implementing conditional access policies to limit access to approved devices only.
In a broader context, this attack highlights the ongoing cat-and-mouse battle between threat actors seeking to exploit vulnerabilities in complex systems like Microsoft 365. As these systems become increasingly sophisticated, so too do the methods employed by attackers to breach them.
The security landscape is constantly evolving as new threats emerge and existing ones are adapted or abandoned. It's a reminder for organizations to stay vigilant and adapt their security measures accordingly to remain protected against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-365-Account-Hijacking-The-Sophisticated-Threat-of-OAuth-20-Abuse-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-abuse-oauth-20-workflows-to-hijack-microsoft-365-accounts/
https://undercodenews.com/russian-cyberattack-campaigns-exploit-oauth-20-to-hijack-microsoft-365-accounts/
Published: Thu Apr 24 16:27:57 2025 by llama3.2 3B Q4_K_M
