Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

Volexity observed two suspected Russian threat actors (UTA0352 and UTA0355) conducting targeted social-engineering campaigns since March–April 2025 that lure NGO and Ukraine-focused targets via Signal/WhatsApp and maliciously crafted Microsoft 365 OAuth authorization flows. Attackers convince victims to click legitimate Microsoft login links and return Microsoft-generated authorization codes—enabling the attackers to exchange codes for access tokens, register devices to victims' Entra ID accounts, and ultimately access email and other M365 resources. The report includes observed URLs, a Visual Studio Code redirect abuse, client_id and redirect_uri indicators, detection guidance (alerts for specific URL patterns and client_id usage), and mitigation recommendations such as conditional access and user training.