Suspected Russian threat actors have been identified by Volexity researchers for utilizing OAuth-based phishing attacks as a means to gain access to Microsoft 365 (M365) accounts. These malicious actions involve requesting victims to provide Microsoft Authorization codes, which in turn grant the attackers access to the victims’ accounts. Once access has been granted, the threat actors can then connect their controlled devices to Entra ID (formerly known as Azure AD) and retrieve emails and other sensitive data.
The modus operandi of these attacks involves direct interaction with the target, as the threat actors need to persuade the victims to click on a link and send back a Microsoft-generated code. In recent campaigns, the attackers posed as officials from European nations and Ukraine, contacting victims via messaging apps like Signal or WhatsApp. The victims were lured into joining a video call under the pretext of discussing the war in Ukraine.
Upon the victim’s response, the attackers would send a link that supposedly allowed them to join the video call. This link led to a genuine Microsoft login page, where the victim would log in using their M365 credentials. Subsequently, Microsoft would provide an OAuth code or a specific URL to the victim, which the attacker would then request the victim to send back. By obtaining this code or URL, the attacker could gain unauthorized access to the victim’s Microsoft 365 account and retrieve confidential information.
Various iterations of the attack were observed by the researchers, each emphasizing the use of social engineering to deceive targets into disclosing sensitive information. In one instance, the victim was also asked to approve a two-factor authentication request after the attacker registered their device to the victim’s Microsoft Entra ID tenant.
Although the specific government-sponsored hacking groups behind these campaigns remain unidentified, Volexity suspects potential connections with previous Device Code Authentication phishing campaigns. The targets, tactics, and the likelihood of Russian threat actor involvement suggest a correlation between the two.
It is noteworthy that these recent campaigns leverage Microsoft’s official infrastructure for all user interactions, eliminating the need for attacker-controlled infrastructure. Moreover, the absence of malicious or attacker-controlled OAuth applications complicates detection and prevention efforts, making it challenging for organizations to defend against such attacks effectively.
Volexity has offered guidance on mitigating and identifying these attacks, although resource-constrained organizations may face challenges in implementing these recommendations. As organizations strive to safeguard their digital assets and data, staying informed and proactive in cybersecurity measures is crucial to mitigate the risks posed by sophisticated threat actors.
To stay informed on the latest breaches, vulnerabilities, and cybersecurity threats, consider subscribing to our breaking news e-mail alert. Stay updated and vigilant in the ever-evolving landscape of cybersecurity threats. Subscribe now to safeguard your organization’s digital infrastructure.