A recent cyber assault is aimed at Microsoft 365 users through messages sent via Signal and WhatsApp. Hackers are masquerading as government officials to infiltrate accounts.

As reported by Bleeping Computer, these malicious actors, believed to be Russian operatives posing as European diplomats, are reaching out to individuals in organizations involved in Ukraine and human rights matters. Their ultimate aim is to deceive targets into clicking on an OAuth phishing link that leads them to verify their Microsoft 365 credentials.

This scheme was initially identified by the cybersecurity firm Volexity, which has noted a focused attack on entities related to Ukraine, though similar tactics could be employed broadly for data theft or device takeovers.

Understanding the Microsoft 365 OAuth Attack

Typically, the assault kicks off when targets receive a message through Signal or WhatsApp, originating from someone posing as a political figure. The communication usually includes an invitation for a video conference to discuss topics surrounding Ukraine.

As per Volexity’s findings, attackers might impersonate representatives from the Mission of Ukraine to the European Union or the Permanent Delegation of Bulgaria to NATO. In some instances, the attack may begin with an email from a compromised Ukrainian government account, followed by subsequent messages via Signal and WhatsApp.

After establishing contact, the perpetrators provide victims with PDF instructions alongside an OAuth phishing link. Clicking this link leads users to a login prompt for Microsoft and various third-party applications utilizing Microsoft 365 OAuth. The victims are redirected to a page requesting an authentication code, which they are advised to share to “join” the meeting. This code remains valid for 60 days and allows the attackers extensive access to email and other Microsoft 365 resources, even if victims alter their passwords.

Identifying the Microsoft 365 OAuth Attack

This cyber threat is one of several recent incidents exploiting OAuth authentication, making it less obvious from a technical standpoint. Volexity recommends implementing conditional access policies for Microsoft 365 accounts that restrict access to approved devices and activating login alerts.

Individuals should also remain vigilant against social engineering techniques that exploit human psychology to effectively execute phishing and related cyber attacks. Warning signs may include messages that seem atypical for a trusted contact, communications designed to elicit emotional responses such as fear or curiosity, and urgent requests or offers that seem too favorable.

A social engineering guide by CSO advises maintaining a “zero-trust mindset” and being aware of typical red flags, including spelling and grammar errors, as well as unexpected instructions to click links or open attachments. Screenshots of the Signal and WhatsApp communications shared by Volexity highlight minor mistakes, which can signal potential fraud.