It appears that new phishing campaigns are using malicious video call invites sent through Signal and WhatsApp.
Russia-linked hackers are continuing to develop ways to trick people into giving them access to their organizations’ Microsoft 365 environments, according to researchers.
The latest example, cited by cybersecurity company Volexity, involves “highly targeted social engineering operations” aimed at nongovernmental organizations with ties to Ukraine. The goal is to capture access tokens for victims’ M365 accounts by abusing OAuth, a protocol that allows apps to sign in to one another without passwords.
The scheme typically starts with a phishing attempt through a messaging app like Signal or WhatsApp inviting potential victims “to join a video call to discuss the conflict in Ukraine,” Volexity says. The victim then receives a bogus video-call URL that generates an OAuth code, and the attacker asks for it. If the victim sends the code, the attacker can generate a token that allows for M365 access, Volexity says.
The company first noticed malicious activity in March. “The targeted staff members worked at NGOs that support human rights and specifically have expertise and experience working on issues related to Ukraine,” the report says. The messages claimed to be from security officials elsewhere in Europe.
“In each observed instance, the call to action was to arrange a meeting between the target and a political official, or Ambassador, of the European country of which the sender claimed to represent,” Volexity says. The representative would send instructions about how to join a video call, but instead it would lead the recipient to unknowingly give up an OAuth code.
Volexity attributes the operations to threat actors it calls UTA0352 and UTA0355. The report does not link them to existing Russian advanced persistent threat (APT) groups, but says they appear to overlap with attackers that recently perpetrated a different scheme to break into M365 accounts. The researchers described that campaign — which involved Microsoft Device Code Authentication, typically used to connect devices to smart TVs and other hardware — in a report in February.