This Cyber Attack Targets Microsoft 365 Accounts
A new wave of cyberattacks is currently targeting Microsoft 365 users through sophisticated attempts using Signal and WhatsApp messages. Hackers are masquerading as government officials, attempting to deceive individuals into surrendering access to their accounts.
According to a detailed report by Bleeping Computer, these cybercriminals, believed to be Russian operatives disguising themselves as European political officials or diplomats, are focusing their efforts on employees of organizations involved with Ukraine and human rights matters. Their ultimate aim is to lure their targets into clicking an OAuth phishing link designed to capture their Microsoft 365 login credentials.
This cyber scam was first unearthed by the cybersecurity firm Volexity. Although it predominantly targets groups connected to Ukraine, the methodology could be easily adapted for wider use to compromise user data or seize control of devices.
The attack initiation generally involves the targets receiving a message via Signal or WhatsApp. The supposed sender is presented as a political official or diplomat extending an invitation to partake in a video call or conference on topics related to Ukraine.
Volexity’s findings reveal that attackers might claim affiliations with credible entities such as the Mission of Ukraine to the European Union, the Permanent Delegation of the Republic of Bulgaria to NATO, or the Permanent Representation of Romania to the European Union. In certain scenarios, the attack sequence begins with an email dispatched from a compromised Ukrainian government account, succeeded by further correspondence on Signal and WhatsApp.
Once communications are established, these cyber actors send victims PDF instructions alongside an OAuth phishing link. Clicking the link prompts the user to log into their Microsoft account, as well as any third-party apps utilizing Microsoft 365 OAuth, and reroutes them to a landing page displaying an authentication code. This code must be shared to supposedly participate in the meeting. Alarmingly, this authentication code remains valid for 60 days, thereby granting attackers ongoing access to email and other Microsoft 365 resources, even if the victim updates their password.
This particular assault is among several recent schemes exploiting OAuth authentication. Such stratagems can be difficult to distinguish from genuine requests at a technical level, complicating detection. To thwart these attacks, Volexity advises configuring conditional access policies on Microsoft 365 accounts to allow only approved devices, in addition to enabling login alerts.
It’s essential for users to remain vigilant against social engineering tactics, which exploit human psychology to execute phishing and various forms of cyberattacks. Red flags include messages appearing peculiar or inconsistent—especially from a known or trusted sender—communications evoking an emotional response (such as fear or curiosity), and those urging immediate action or presenting offers that seem unduly favorable.
A social engineering guide from CSO endorses adopting a “zero-trust mindset” while being alert for common indicators such as grammatical errors, spelling mistakes, and instructions to click on links or open attachments. Screenshots of the Signal and WhatsApp messages, shared by Volexity, exhibit minor errors that signal their potential fraudulent nature.
In conclusion, the ever-evolving landscape of cyber threats underscores the necessity for individuals and organizations to strengthen their cyber defenses continually. By staying informed and vigilant, users can significantly reduce their vulnerability to such deceptive maneuvers.
