Russian-linked threat groups UTA0352 and UTA0355 have been abusing Microsoft 365's OAuth workflows to compromise non-profit organizations' Microsoft accounts as part of targeted phishing intrusions, according to Infosecurity Magazine.
Attacks by UTA0352 involved the distribution of malicious emails purporting to be from European diplomats that included a link redirecting to an online Visual Studio Code that launches OAuth and delivers an authorization code enabling Microsoft Graph data and email access, a report from Volexity showed. On the other hand, UTA0355 leveraged a breached Ukrainian government email account to distribute fake conference invitations followed by messages on WhatsApp and other apps seeking victims' authentication, which resulted in eventual email data downloads. Organizations have been urged to not only monitor suspicious OAuth login activity and URLs redirecting to vscode-redirect[.]azurewebsites[.]net or redirects to insiders[.]vscode[.]dev but also track atypical two-factor authentication approval requests, newly registered devices, and app IDs incongruent to user email clients.
Attacks by UTA0352 involved the distribution of malicious emails purporting to be from European diplomats that included a link redirecting to an online Visual Studio Code that launches OAuth and delivers an authorization code enabling Microsoft Graph data and email access, a report from Volexity showed. On the other hand, UTA0355 leveraged a breached Ukrainian government email account to distribute fake conference invitations followed by messages on WhatsApp and other apps seeking victims' authentication, which resulted in eventual email data downloads. Organizations have been urged to not only monitor suspicious OAuth login activity and URLs redirecting to vscode-redirect[.]azurewebsites[.]net or redirects to insiders[.]vscode[.]dev but also track atypical two-factor authentication approval requests, newly registered devices, and app IDs incongruent to user email clients.
