Russian Hackers Hijack Microsoft 365 Accounts in Comedic Misuse of OAuth 2.0
Russian threat actors have been playing the ultimate trust fall game, exploiting OAuth 2.0 authentication to hijack Microsoft 365 accounts. By impersonating European officials on WhatsApp and Signal, they trick targets into handing over Microsoft authorization codes or clicking malicious links, proving once again that cybercrime is the unfunny prankster of the digital world.
Hot Take:
*Ding dong, it’s the Russians again! This time, they’re not just knocking on the door; they’re crawling through the OAuth 2.0 window to hijack Microsoft 365 accounts. Somebody call tech support because it looks like UTA0352 and UTA0355 are phishing for more than compliments on their hacking skills. Just when you thought your info was safe, they’ve got you sending them codes faster than a teenager texting on a new iPhone.*
Key Points:
– Russian threat actors UTA0352 and UTA0355 are targeting Microsoft 365 accounts using OAuth 2.0 authentication workflows.
– The attackers use WhatsApp and Signal to impersonate European officials and coax victims into sharing authorization codes.
– The operation includes phishing URLs disguised as video call invitations, leveraging Visual Studio Code for code extraction.
– Attackers trick victims into approving two-factor authentication, gaining long-term access to accounts.
– Volexity advises setting alerts, blocking malicious domains, and using conditional access policies.