Russian cyber threat groups, tracked as UTA0352 and UTA0355, have been observed exploiting OAuth 2.0 authentication workflows to compromise Microsoft 365 accounts of employees working with Ukraine-related and human rights organizations. Cybersecurity firm Volexity, which has monitored these activities since early March 2025, revealed that attackers leverage messaging apps like WhatsApp and Signal to initiate contact, impersonating European political officials or Ukrainian diplomats.
Victims receive OAuth phishing URLs masked as links to private video meetings on Ukraine affairs. Once a target authenticates, they are redirected to a fake Visual Studio Code interface hosted at ‘insiders.vscode.dev,’ designed to extract the OAuth authorization code, which grants attackers access to the victim’s account for up to 60 days.
Upon initiating communication, the attackers send a PDF with instructions and a phishing URL. Victims unknowingly authorize access by entering their credentials and sharing the authorization code. In some cases, attackers also used stolen codes to register new devices with Microsoft Entra ID, ensuring long-term access.
Volexity found that attackers manipulated two-factor authentication (2FA) approvals by convincing targets that the verification was necessary to access SharePoint portals related to the “conference.” After device registration and successful 2FA manipulation, attackers could access email accounts, documents, and other sensitive information.
Older variants of this phishing tactic used AzureAD v1.0 authorization endpoints but have since evolved to v2.0 for more seamless exploitation.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
To mitigate such OAuth-based phishing threats, Volexity recommends:
- Blocking access to ‘insiders.vscode.dev’ and ‘vscode-redirect.azurewebsites.net’.
- Setting up alerts for any logins via Visual Studio Code’s client_id.
- Enforcing Conditional Access Policies to restrict access only from approved, compliant devices.
The growing sophistication of OAuth abuse underlines the urgent need for organizations to continuously monitor authentication workflows, educate users about emerging phishing techniques, and implement layered security measures.
As cyber threat actors escalate their tactics, robust cybersecurity vigilance remains critical to safeguarding sensitive communications and data.