Increasing Threats to Microsoft 365 Accounts Linked to Russian Hackers
Recent investigations have unveiled a growing concern surrounding cyberattacks believed to be linked to Russian threat actors targeting individuals and organizations tied to Ukraine. Since early March 2025, these actors have been employing sophisticated social engineering techniques aimed at infiltrating Microsoft 365 accounts. According to cybersecurity firm Volexity, this intensifying offensive marks a notable shift from previous incidents that relied on a different hacking method, indicating that these adversaries are enhancing their tactics to evade detection.
The essence of these recent attacks involves direct engagement with victims through personalized interactions. Security researchers—Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster—emphasized that the attackers must convince each target to click on malicious links while acquiring a Microsoft-generated authentication code. This approach represents a departure from their previous reliance on a device code phishing strategy, highlighting a deliberate evolution in their methods as they aim to remain under the radar.
Identified clusters of these threat actors, designated as UTA0352 and UTA0355, have been associated with the new wave of attacks. Although the potential connections to other advanced persistent threat groups, such as APT29, UTA0304, and UTA0307, remain a subject of analysis, the focus is primarily on these two entities responsible for spearheading the latest strain of incidents.
The deceptive tactics employed involve utilizing realistic impersonations of European governmental officials, further complicating detection efforts. In one notable instance, attackers exploited a compromised account belonging to a Ukrainian governmental entity, leveraging it to issue requests for Microsoft OAuth codes to gain illegitimate access to victims’ accounts. This exploitation of legitimate processes has introduced additional challenges in safeguarding sensitive information.
To lure victims into their trap, the attackers have turned to popular messaging applications like Signal and WhatsApp. By inviting targets to discussions related to upcoming European political events or meetings centered on Ukraine, they aim to manipulate victims into engaging further. The researchers observed that once victims expressed interest, discussions quickly escalated toward scheduling these purported meetings.
As the appointed time for the meeting approached, these criminals would reach out again, sending detailed instructions on joining the call. These instructions often included links redirecting targets to the official Microsoft 365 login portal. However, the deceptive nature of these links should raise alarms; they were designed to capture Microsoft authorization tokens, exploiting legitimate authentication procedures and using them to take control of the victims’ accounts.
The specifics of their methods demonstrate a clever ruse. Instructed to open a link that would reveal their authorization token, victims would inadvertently expose their account codes to the attackers. This process entails redirecting authenticated users to an in-browser rendition of Visual Studio Code, where the token was displayed for them to see. When the victim shared the code, the attackers could generate an access token, effectively granting them intrusion into the compromised Microsoft 365 account.
Further investigations unearthed earlier iterations of similar strategies, wherein targets were directed toward websites that funneled them through multiple redirects. This technique emphasizes the attackers’ deliberate design to mask their true intentions and circumvent typical security measures by using trusted platforms.
In a separate operation conducted in early April 2025, the UTA0355 group utilized an already compromised email account from the Ukrainian government to send malicious emails. Following up through messaging apps, they invited targets to participate in discussions about significant topics, such as Ukraine’s prosecution of atrocities and international collaboration.
While each operation shared a core goal—gaining unauthorized access to victims’ email accounts—UTA0355 introduced an additional layer of complexity. By utilizing hijacked OAuth authorization codes, they sought to permanently register new devices to the victims’ Microsoft Entra IDs, ensuring prolonged access.
The sophistication of these attacks is compounded by clever operational security measures, with the login activities and device registrations originating from geographic proxies aligned with the victims’ locations. Such a strategy complicates detection and fortifies the attackers’ anonymity.
Experts recommend that organizations actively audit newly registered devices and educate their users regarding the potential dangers associated with unsolicited messages on messaging platforms. Implementing conditional access policies to restrict access to organizational resources to only approved devices is also vital for countering these threats.
Volexity notably pointed out the difficulty in thwarting these attacks due to their reliance on Microsoft’s official infrastructure. As they bypass conventional cybersecurity defenses by leveraging widely trusted applications, organizations are increasingly at risk, grappling with the challenges of maintaining a secure environment amid evolving cyber threats.
In summary, the ongoing campaigns linked to Russian hacking groups exhibit an alarming trend characterized by increasing aggressiveness and sophistication. As they refine their methods, constant vigilance and proactive defenses are essential to mitigate the risks posed to legitimate users and sensitive information within the realm of Microsoft 365 services.