Ukraine-linked nongovernmental organizations have been targeted by Russian threat actors UTA0352 and UTA0355 in intrusions exploiting the OAuth protocol to compromise Microsoft 365 accounts, reports The Record, a news site by cybersecurity firm Recorded Future.
Attacks, which were initially identified last month, commenced with phishing attempts luring targets into joining a video call tackling the ongoing conflict in Ukraine, with the link to the call generating an OAuth code sought by the hackers to generate another token enabling Microsoft 365 access, according to a report from Volexity. Despite not being associated with Russian advanced persistent threat operations, UTA0352 and UTA0355 were discovered by Volexity researchers to have overlaps with other threat actors who sought to infiltrate Microsoft 365 accounts. "Organizations should train users to be highly vigilant when it comes to unsolicited contact, especially if it arrives via secure messaging apps and request that users click links or open attachments," said Volexity.
Attacks, which were initially identified last month, commenced with phishing attempts luring targets into joining a video call tackling the ongoing conflict in Ukraine, with the link to the call generating an OAuth code sought by the hackers to generate another token enabling Microsoft 365 access, according to a report from Volexity. Despite not being associated with Russian advanced persistent threat operations, UTA0352 and UTA0355 were discovered by Volexity researchers to have overlaps with other threat actors who sought to infiltrate Microsoft 365 accounts. "Organizations should train users to be highly vigilant when it comes to unsolicited contact, especially if it arrives via secure messaging apps and request that users click links or open attachments," said Volexity.
