Cybersecurity firm Volexity has detected an ongoing campaign orchestrated by Russian-linked threat actors exploiting Microsoft 365’s OAuth 2.0 authentication process to target individuals and organizations connected to Ukraine and human rights efforts. The campaign, active since early March 2025, involves convincing social engineering tactics and legitimate Microsoft infrastructure used to bypass traditional security measures.
Two groups, tracked by Volexity as UTA0352 and UTA0355, are believed to be behind the campaigns. The attackers initiate contact through secure messaging platforms such as Signal and WhatsApp, often posing as European government officials or using compromised Ukrainian government accounts. Victims are lured into fake meetings or events under the guise of political discourse related to the Ukraine conflict.
To reach their goal, the threat actors attempt to trick victims into providing Microsoft-generated OAuth authorization codes. The attackers use the code to generate access tokens, giving them unauthorized access to Microsoft 365 accounts. In some cases, the threat actor also registers a new device to the victim’s Microsoft Entra ID (formerly Azure AD) and persuades the target to approve a two-factor authentication request—ultimately granting access to sensitive emails and data.
UTA0352 was observed impersonating representatives from the Mission of Ukraine to the EU, Bulgaria’s NATO delegation, and Romania’s EU representation. Volexity believes officials from Poland may also have been impersonated. UTA0355, while using similar tactics, is tracked separately due to differences in tactics. The threat actor leveraged legitimate Ukrainian government email accounts to initiate contact, followed by coordinated real-time messaging to pressure victims into compliance.
“Volexity assesses with high confidence that the attacker required the victim to approve a 2FA request to access email items. In logs reviewed by Volexity, initial device registration was successful shortly after interacting with the attacker,” the report noted. “Access to email data occurring the following day, which was when UTA0355 had engineered a situation where their 2FA request would be approved. Once access was granted, logs showed the attacker downloaded the target’s email using a session tied to the newly registered device.”
