This Cyberattack Targets Microsoft 365 Accounts
A new cyberattack is targeting Microsoft 365 users via Signal and WhatsApp messages. Hackers pose as government officials to gain access to accounts.
According to Bleeping Computer , the attackers – believed to be Russians posing as European politicians or diplomats – are contacting employees of organizations involved in issues related to Ukraine and human rights. The ultimate goal is to trick victims into clicking a phishing OAuth link that will lead them to authenticate their Microsoft 365 credentials.
The scam, first discovered by cybersecurity firm Volexity, targeted organizations linked to Ukraine specifically, but a similar approach could be used more broadly to steal user data or hijack devices.
How the Microsoft 365 OAuth attack works
This attack typically begins with targets receiving a message via Signal or WhatsApp from a user posing as a politician or diplomat, inviting them to a video call or conference to discuss issues related to Ukraine.
According to Volexity , attackers can impersonate employees of the Ukrainian Mission to the European Union, the Permanent Mission of the Republic of Bulgaria to NATO or the Permanent Mission of Romania to the European Union. In one variation, the campaign begins with an email sent from a hacked Ukrainian government account, followed by communications via Signal and WhatsApp.
Once the stream is created, the attackers send victims PDF instructions along with a phishing OAuth URL. When clicked, the user is prompted to sign in to Microsoft and third-party apps that use Microsoft 365 OAuth and is redirected to a landing page with an authentication code they are asked to provide to sign in to the meeting. This code, valid for 60 days, gives attackers access to email and other Microsoft 365 resources, even if victims change their passwords.
How to detect a Microsoft 365 OAuth attack
This attack is one of several recent threats that abuse OAuth authentication, which can make identifying a suspicious account difficult, at least from a technical perspective. Volexity recommends setting conditional access policies in Microsoft 365 accounts to approved devices only, and enabling sign-in alerts.
Users should also be wary of social engineering tactics , which use human psychology to successfully carry out phishing and other types of cyber attacks. Examples include messages that are unusual or out of character (especially from a sender you know or trust), a message that evokes an emotional response (such as fear or curiosity), and urgent requests or offers that are too good to be true.
A social engineering expert at CSO advises adopting a “zero trust mindset” and also paying attention to common signs such as grammatical and spelling errors, as well as instructions for clicking links or opening attachments. Screenshots of Signal and WhatsApp messages shared by Volexity show small errors that mark them out as potentially fraudulent.