Volexity researchers have uncovered a series of sophisticated spear-phishing and social-engineering campaigns conducted by Russian threat actors. The campaigns involve a method known as Device Code Authentication phishing used to compromise Microsoft 365 (M365) accounts.
The attacks began in mid-January 2025 and were focused on politically charged themes, particularly around the new US administration and global political shifts.
The Russian threat actors leveraged social engineering techniques to impersonate individuals from prominent institutions, including officials from the United States Department of State, the Ukrainian Ministry of Defense, and the European Union Parliament. Additionally, prominent research institutions were targeted as part of this operation.
The phishing attempts were carried out through a variety of methods, but the majority were executed via spear-phishing emails that disguised themselves with a range of politically themed messages. In some cases, attackers extended their outreach using encrypted messaging platforms such as Signal, aiming to create a more personal and convincing approach.
In one instance, the attacker first contacted the victim on Signal, posing as a member of the Ukrainian Ministry of Defence. They then persuaded the victim to move to a different secure chat platform, Element, where the attacker controlled a server under the domain sen-comms[.]com. Through real-time communication, the attacker convinced the victim to click a link in an email that appeared to invite them to a secure chat. This email was a phishing attempt, designed to grant the attacker access to the victim's account.
The attackers' goal was to lure targets into accessing compromised accounts by inviting them to various online activities, including joining a Microsoft Teams meeting or video conference, gaining external access to M365 applications and data, entering secure chatrooms or channels within private messaging platforms.
Once the attackers successfully gained access to M365 accounts, they entered the post-exploitation phase, which exhibited several unique traits depending on the victim organization. The attackers employed varying techniques to extract valuable data, including scripts and native applications, and used different infrastructures to manage the stolen credentials.
Volexity has high confidence that the observed operations are being carried out by Russian-based threat actors, and they are currently tracking the activities under three distinct threat groups. One of these groups is suspected to be CozyLarch, a known Russian threat actor that overlaps with groups such as DarkHalo, APT29, Midnight Blizzard, and CozyDuke.
The remaining campaigns are attributed to UTA0304 and UTA0307. While there are clear similarities in the targeting, timing, and attack methodology, Volexity notes that other distinguishing components of the operations suggest the involvement of separate entities, though it is still possible that a single actor is behind all the activities.
Last week, Microsoft detailed a similar campaign by a threat actor identified as Storm-2372. The threat actor is targeting a wide range of sectors, including governments, NGOs, IT, defense, telecoms, healthcare, education, and energy, across Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 has connections to Russian interests based on its victim selection and methods.
