Multiple suspected Russia-linked threat actors are "aggressively" targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025. The highly targeted social engineering operations, per Volexity, are a shift from previously documented attacks that leveraged a technique known as device code phishing to achieve the same goals, indicating that Russian adversaries are actively refining their tradecraft. "These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code," security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster said in an exhaustive analysis. At least two different threat clusters tracked as UTA0352 and UTA0355 are assessed to be behind the attacks, although the possibility that they could also be related to APT29, UTA0304, and UTA0307 hasn't been ruled out. The latest set of attacks is characterized by the use of a new technique that's aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The threat actors impersonate officials from various European nations and have been found to take advantage of a compromised Ukrainian Government account at least in one case to trick victims into providing a Microsoft-generated OAuth code to take control of their accounts. …Read More