Russian hackers exploit OAuth 2.0 to hack Microsoft 365 Accounts

Russian hackers have exploited legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts. As the cybersecurity space is evolving with time, cyberattackers are trying different measures to target their victims.

Recently, a cybersecurity company, Volexity, discovered and reported on a series of ongoing cyberattacks since March 2025.

Russian hackers target Ukraine allies by hacking their Microsoft 365 accounts

Two Russian threat actors, tracked as UTA0352 and UTA0355, primarily target Microsoft 365 accounts of individuals linked to Ukraine and human rights, using highly targeted social engineering tactics.

Now, you must be wondering how Russian hackers have been able to lure the victim to fall into their trap, right? Well, the cyber attackers first impersonate themselves as European officials or use hacked Ukrainian government accounts to contact victims via texting apps like WhatsApp and Signal.

Hackers lure victims into clicking on malicious links without any suspicion

Russian hackers lure targets into clicking malicious links hosted on Microsoft’s infrastructure or sharing OAuth authorization codes. Valid for 60 days, these codes grant victims access to their email and other Microsoft 365 resources.

Security researchers at Volexity note, “It should be noted that this code also appeared as part of the URI in the address bar. The Visual Studio Code appears to have been set up to make it easier to extract and share this code, whereas most other instances would simply lead to blank pages.”

In some cases, Russian hackers register new devices to the victim’s Microsoft Entra ID, bypassing two-factor authentication (2FA). They trick users into approving fake 2FA requests under the guise of accessing a SharePoint instance.

Victims are unlikely to suspect

Since Russian hackers have been using Microsoft’s own infrastructure, it’s quite hard for victims to suspect any foul play. Not to mention, these attacks are quite different than traditional phishing. Attackers use proxy networks to mimic the victim’s location, ensuring that victims don’t suspect anything wrong.

The stolen OAuth codes allow prolonged access that enables hackers to read emails, access files, and maintain unauthorized entry. It’s worth noting that all this is possible even if victims change their passwords.

Volexity, in its report, notes, “In logs reviewed by Volexity, initial device registration was successful shortly after interacting with the attacker. Access to email data occurring the following day, which was when UTA0355 had engineered a situation where their 2FA request would be approved.”

All that said, this isn’t the first instance of attackers abusing OAuth authentication workflows. Some recent reports highlighted that scammers are even abusing Google OAuth to send out multiple phishing emails to users.