A new cyberattack is targeting Microsoft 365 users through Signal and WhatsApp messages, with hackers impersonating government officials in order to gain access to accounts.
According to reporting from Bleeping Computer, bad actors—who are believed to be Russians pretending to be European political officials or diplomats—are contacting employees of organizations working on issues related to Ukraine and human rights. The end goal is to trick targets into clicking an OAuth phishing link leading them to authenticate their Microsoft 365 credentials.
This scam, first discovered by cybersecurity firm Volexity, has focused specifically on organizations related to Ukraine, but a similar approach could be used more widely to steal user data or take over devices.
How the Microsoft 365 OAuth attack works
This attack typically begins with targets receiving a message via Signal or WhatsApp from a user posing as a political official or diplomat with an invitation to a video call or conference to discuss issues related to Ukraine.
According to Volexity, attackers may claim to be from the Mission of Ukraine to the European Union, the Permanent Delegation of the Republic of Bulgaria to NATO, or the Permanent Representation of Romania to the European Union. In one variation, the campaign starts with an email sent from a hacked Ukrainian government account followed by communication via Signal and WhatsApp.
Once a thread is established, bad actors send victims PDF instructions along with an OAuth phishing URL. When clicked, the user is prompted to log into Microsoft and third-party apps that utilize Microsoft 365 OAuth and redirected to a landing page with an authentication code, which they are told to share in order to enter the meeting. This code, which is valid for 60 days, gives attackers access to email and other Microsoft 365 resources, even if victims change their passwords.
What do you think so far?
How to spot the Microsoft 365 OAuth attack
This attack is one of several recent threats abusing OAuth authentication, which can make it harder to identify as suspect, at least from a technical point of view. Volexity recommends setting up conditional access policies on Microsoft 365 accounts to approved devices only, as well as enabling login alerts.
Users should also be wary of social engineering tactics that play on human psychology to successfully carry out phishing and other types of cyber attacks. Examples include messages that are unusual or out of character—especially for a sender you know or trust—communication that prompts an emotional response (like fear or curiosity), and requests that are urgent or offers that are too good to be true.
A social engineering explainer from CSO advises a “zero-trust mindset” as well as watching out for common signs like grammar and spelling mistakes and instructions to click links or open attachments. Screenshots of the Signal and WhatsApp messages shared by Volexity show small errors that give them away as potentially fraudulent.
