Russian-linked threat actors have launched a sophisticated cyber espionage campaign targeting NGOs, human rights organisations, and individuals supporting Ukraine. The attacks, observed since March 2025, exploit Microsoft 365's OAuth authentication workflows in ways that bypass traditional security measures whilst appearing completely legitimate.

The Anatomy of a Modern Espionage Campaign

Security researchers at Volexity have identified two distinct threat groups, designated UTA0352 and UTA0355, conducting highly targeted operations against organisations connected to Ukrainian humanitarian efforts. The sophistication of these attacks lies not in complex malware, but in their masterful exploitation of trusted platforms and social engineering.

The Attack Chain

The campaigns follow a carefully orchestrated multi-stage approach:

Initial Contact: Attackers reach out via Signal or WhatsApp, impersonating European diplomats or Ukrainian officials
Relationship Building: Conversations develop around legitimate-sounding meetings or conferences related to Ukrainian affairs
OAuth Exploitation: Victims are sent Microsoft OAuth login links with requests for authentication codes
Access Token Generation: Returned codes are used to create persistent access tokens valid for up to 60 days
Data Exfiltration: Attackers gain access to Microsoft Graph data, exposing emails, files, and organisational information

Why This Attack Is So Effective

Leveraging Trusted Infrastructure

The attacks exclusively use Microsoft's legitimate OAuth infrastructure and first-party applications like Visual Studio Code. This means all authentication flows appear completely normal to both users and security systems.

Social Engineering at Scale

Rather than relying on mass phishing emails, attackers invest time in building relationships through messaging platforms, creating a false sense of trust and urgency around Ukrainian humanitarian issues.

Bypassing Traditional Defences

Because the attacks use legitimate Microsoft services and applications, traditional email security, web filtering, and endpoint protection solutions often fail to detect malicious activity.

Real-World Impact on NGO Operations

The targeting of NGOs and human rights organisations supporting Ukraine represents a strategic intelligence collection effort with potentially severe consequences:

Operational Security Compromise: Access to internal communications could expose ongoing humanitarian operations, putting field workers at risk

Donor Information Exposure: Financial records and donor communications could be compromised, affecting future fundraising capabilities

Network Mapping: Understanding organisational relationships could enable broader espionage campaigns against the Ukrainian support network

Strategic Intelligence: Access to policy discussions and strategic planning documents provides valuable intelligence for state actors

Technical Analysis: OAuth Exploitation

The technical execution demonstrates sophisticated understanding of Microsoft's authentication ecosystem:

Visual Studio Code Abuse

In one campaign variant, attackers directed victims to online Visual Studio Code instances. When users authenticated, they unknowingly initiated OAuth flows that generated authorization codes with extensive Microsoft Graph permissions.

Device Registration

Attackers registered new devices to victims' Entra ID (formerly Azure AD) accounts, establishing persistent access that could survive password changes and appear as legitimate user activity.

Long-Term Access

OAuth tokens with 60-day validity periods provided sustained access to victim accounts, allowing for ongoing intelligence collection without repeated social engineering.

Detection and Response Challenges

Traditional cybersecurity approaches face significant limitations against these attacks:

Legitimate Infrastructure: All network traffic flows through trusted Microsoft services
First-Party Applications: OAuth requests appear to come from genuine Microsoft applications
Social Engineering Components: The human element makes technical detection extremely difficult
Geopolitical Context: Attacks leverage real-world events and legitimate organisational interests

Indicators of Compromise

Organisations should monitor for these specific warning signs:

Technical Indicators:

• OAuth login activity using Visual Studio Code client IDs
• Redirects to insiders.vscode.dev or vscode-redirect.azurewebsites.net
• New device registrations from proxy IP addresses
• Unusual two-factor authentication approval requests
• App IDs inconsistent with typical email clients

Behavioural Indicators:

• Unsolicited contact via messaging apps from officials
• Requests for authentication codes following legitimate-seeming conversations
• Meeting invitations from unexpected sources related to Ukrainian affairs
  
  
  

Organisational Protection Strategies

Technical Controls

Conditional Access Policies: Implement strict device compliance and location-based access controls in Microsoft 365
OAuth Application Monitoring: Regular audits of authorised applications and suspicious
OAuth grants Device Registration Controls: Restrict device registration capabilities and monitor for unusual activity
Advanced Threat Protection: Deploy Microsoft Defender or equivalent solutions with OAuth-specific detection capabilities

Process Improvements

Communication Protocols: Establish verification procedures for unsolicited meeting requests or collaboration invitations
Authentication Awareness: Train staff never to share authentication codes via messaging platforms
Incident Response Planning: Develop specific procedures for OAuth-based compromise scenarios

Staff Training

Social Engineering Awareness: Regular training on sophisticated social engineering tactics targeting NGO operations
Secure Communication: Guidance on verifying the identity of contacts claiming to be officials or partners
OAuth Security: Education about legitimate vs. suspicious authentication requests

How altiacyber Can Help

At altiacyber, we understand that modern cyber espionage campaigns require sophisticated defence strategies that go beyond traditional security measures.

1. Assessment Services

Penetration Testing: Comprehensive testing of your Microsoft 365 environment to identify OAuth-related vulnerabilities and configuration weaknesses

Red Teaming: Advanced social engineering simulations that replicate nation-state tactics to test your organisation's resilience

Vulnerability Assessment: Detailed review of authentication workflows, device policies, and access controls

2. Protection Services

Cloud Security: Advanced Microsoft 365 security implementation including conditional access, threat protection, and OAuth monitoring

Mail Security: Enhanced email security solutions that can detect sophisticated social engineering attempts

Endpoint Protection: Advanced endpoint detection and response solutions that monitor for unusual authentication activity

3. Governance and Compliance

Security Compliance Management: Ensure your Microsoft 365 deployment meets security standards appropriate for high-risk organisations

Moving Forward: A New Security Paradigm

Traditional cybersecurity approaches that focus on blocking malicious infrastructure and detecting anomalous network activity are insufficient against attacks that exclusively use trusted platforms and legitimate applications.

Organisations must adopt defence strategies that assume attackers will successfully impersonate trusted contacts and use legitimate services for malicious purposes.

The future of cybersecurity lies in understanding that the most dangerous attacks often look completely normal.

Concerned about OAuth security and social engineering threats targeting your organisation?
Contact altiacyber for a comprehensive security assessment tailored to the unique risks facing NGOs and civil society organisations.

Contact us at innovate@altiatech.com or call +44 (0)330 332 5482