Beware of video call links that are attempts to steal Microsoft 365 access, researchers tell NGOs

Russia-linked hackers are continuing to develop ways to trick people into giving them access to their organizations’ Microsoft 365 environments, according to researchers.

The latest example, cited by cybersecurity company Volexity, involves “highly targeted social engineering operations” aimed at nongovernmental organizations with ties to Ukraine. The goal is to capture access tokens for victims’ M365 accounts by abusing OAuth, a protocol that allows apps to sign in to one another without passwords.

The scheme typically starts with a phishing attempt through a messaging app like Signal or WhatsApp inviting potential victims “to join a video call to discuss the conflict in Ukraine,” Volexity says. The victim then receives a bogus video-call URL that generates an OAuth code, and the attacker asks for it. If the victim sends the code, the attacker can generate a token that allows for M365 access, Volexity says.

The company first noticed malicious activity in March. “The targeted staff members worked at NGOs that support human rights and specifically have expertise and experience working on issues related to Ukraine,” the report says. The messages claimed to be from security officials elsewhere in Europe.

“In each observed instance, the call to action was to arrange a meeting between the target and a political official, or Ambassador, of the European country of which the sender claimed to represent,” Volexity says. The representative would send instructions about how to join a video call, but instead it would lead the recipient to unknowingly give up an OAuth code.

Volexity attributes the operations to threat actors it calls UTA0352 and UTA0355. The report does not link them to existing Russian advanced persistent threat (APT) groups, but says they appear to overlap with attackers that recently perpetrated a different scheme to break into M365 accounts. The researchers described that campaign — which involved Microsoft Device Code Authentication, typically used to connect devices to smart TVs and other hardware — in a report in February.

The two reports do not specify where the targets — including think tanks, human rights groups and other nongovernmental organizations — were based. 

“Organizations should train users to be highly vigilant when it comes to unsolicited contact, especially if it arrives via secure messaging apps and request that users click links or open attachments,” Volexity says.

The prevalence of Microsoft 365 — which includes productivity apps like Teams and Outlook — makes it a perennial target for hackers.

Researchers at cybersecurity company SecurityScorecard recently described a botnet that used password-spraying to try to break into M365 accounts.