We live in an era where simply clicking a video call link could lead to the digital equivalent of inviting a burglar in for tea—and hackers are getting increasingly creative with their invitations, especially when it comes to Microsoft 365 access.
Cybersecurity researchers have uncovered yet another way Russia-linked threat actors are targeting organizations, especially NGOs in and around Ukraine, with schemes that would make even the savviest private eye suspicious. These are not the typical phishing emails that rely on clumsy grammar and poor Photoshop skills. No, the latest iteration involves seemingly benign video call links sent via reputable messaging apps like Signal or WhatsApp. The intent? To wrest control of Microsoft 365 environments by duping staff into serving up OAuth access tokens, all under the delightful pretense of "let’s discuss the Ukraine conflict over a call."
OAuth, for the uninitiated, is the protocol that graciously lets apps sign into one another without the fuss of passwords—a system that’s often too convenient for its own good. A would-be victim gets a friendly ping about an important meeting, usually from someone claiming to be a security official or ambassador. The link that follows isn’t for a conversation about world affairs—it’s a near-perfectly executed bad actor’s trick to get an OAuth code, which the sender promptly requests, solemnly promising it’s “just part of the setup.” You can guess what happens if the target obliges.
Now, at this point you might ask, “Would anyone fall for this?” But consider the context: busy professionals, persistent geopolitical crises, and the comforting familiarity of big-brand apps. The odds are better than you’d think.
For NGOs, think tanks, and human rights organizations—especially those working in and around Ukraine—this isn’t a hypothetical threat. Researchers at Volexity, the firm blowing the whistle here, noted that these attacks specifically targeted staff with experience on Ukrainian issues, using highly credible pretexts and platforms. One outreach might pose as a French ambassador’s aide; another claims to set up a confidential meeting with European officials.
So, beyond the embarrassment of getting duped, the real risk is exposure of sensitive intel, disruption of operations, and—worst of all—the further endangerment of vulnerable communities relying on the security of these organizations.
And for IT professionals everywhere, the lesson is grimly evergreen: human error, abetted by clever social engineering, remains the weakest link.
In short, the hackers have gotten creative, repurposing legitimate authentication flows in ways that make a mockery of “zero trust” unless everyone in your org has a healthy distrust of literally every click.
Realistically, if your average user can’t comply with two-factor without glue notes, is it any wonder these campaigns work?
Oh, and don't get smug, IT admins: researchers at SecurityScorecard recently unearthed botnets leveraging password-spraying techniques—essentially, guessing weak passwords en masse—to brute-force M365 accounts. These attacks aren’t elegant, but they’re undeniably effective, especially when corporate password policies translate to "season + year + 123!"
At this point, we should all know the mantra: if security is not baked into every corner, your cloud is just a fog.
The attackers’ techniques reveal a nuanced grasp of social contexts. They know that in NGO and diplomatic circles, video meetings are routine, high priority, and sometimes urgent. The explicit connection to Ukraine, and plausible references to European officials, leverage both urgency and recent events to bypass skepticism.
This is not lazy phishing; it’s more like spear-fishing with live bait.
First, your “tips and tricks” carousel about suspicious emails won’t cut it for WhatsApp or Signal. You need bespoke phishing awareness for messaging platforms most users think are unphishable.
Second, these attacks raise the stakes for OAuth security. Too many organizations treat OAuth permissions as “click-through” territory. Rethink your application consent model, implement conditional access policies, and review audit logs like you’re looking for truffles in a forest.
Third, and perhaps most importantly, you can’t rely on technical defenses alone. Training staff to recognize not just traditional phishing, but plausible social engineering tactics involving apps and device codes, is now mission-critical. If a vendor tries to sell you security training that hasn’t been updated since “phishing” still implied email, send them packing.
An OAuth code is just a number, until it isn’t. In the wrong hands (and with the right timing), it’s the skeleton key. Attackers no longer need to ask for passwords. Why bother, when you can get tokens directly by leaning into authentication flows users don’t understand?
Let’s face it: most end-users treat pop-up authentication prompts like Terms & Conditions pages. Accept, enter, move on. The industry’s hope, perhaps, is that eventually people will learn—but so far, that’s optimism bordering on fantasy.
On the upside, increased scrutiny and reporting—like Volexity’s work—shines a light on attack chains and pushes vendors and customers alike to adopt more sophisticated defenses. And, to Microsoft’s credit, the attack surface exists because M365 is foundational to so many. Where there’s value, there are attacks, and the arms race for better defense continues.
Organizations using Microsoft 365 need to realize that "business as usual" now means "risk as usual." It’s not enough to lock down passwords and enforce MFA. You must assume that creative attackers are constantly testing new methods, that your staff’s muscle memory is a target, and that the cloud’s greatest weakness might be the social user floating somewhere between HR and the coffee machine.
For those of us who spend our days defending the indefensible, the message is clear: vigilance can’t be delegated. If training hasn’t included WhatsApp, Signal, and OAuth bingo, it’s time to update your playbooks. And remember: in the Microsoft 365 world, your next “urgent” meeting invite could be a wolf in sheep’s bandwidth.
May your codes stay secure and your video calls boring. If they aren’t, at least make sure you’re not the next headline.
Source: The Record from Recorded Future News Beware of video call links that are attempts to steal Microsoft 365 access, researchers tell NGOs
The Evolving Art of Social Engineering (or: Why You Should Mistrust Even the Nicest Invitations)
Cybersecurity researchers have uncovered yet another way Russia-linked threat actors are targeting organizations, especially NGOs in and around Ukraine, with schemes that would make even the savviest private eye suspicious. These are not the typical phishing emails that rely on clumsy grammar and poor Photoshop skills. No, the latest iteration involves seemingly benign video call links sent via reputable messaging apps like Signal or WhatsApp. The intent? To wrest control of Microsoft 365 environments by duping staff into serving up OAuth access tokens, all under the delightful pretense of "let’s discuss the Ukraine conflict over a call."OAuth, for the uninitiated, is the protocol that graciously lets apps sign into one another without the fuss of passwords—a system that’s often too convenient for its own good. A would-be victim gets a friendly ping about an important meeting, usually from someone claiming to be a security official or ambassador. The link that follows isn’t for a conversation about world affairs—it’s a near-perfectly executed bad actor’s trick to get an OAuth code, which the sender promptly requests, solemnly promising it’s “just part of the setup.” You can guess what happens if the target obliges.
Now, at this point you might ask, “Would anyone fall for this?” But consider the context: busy professionals, persistent geopolitical crises, and the comforting familiarity of big-brand apps. The odds are better than you’d think.
What’s Really at Stake? (Hint: Not Just Your Calendar)
This isn’t just about hijacked calendar invites or snooped-on Teams chats. Access tokens generated through this OAuth hijack can give attackers a dizzying suite of permissions—potentially email, files, contact lists, and administrative controls. Essentially, a successful attack opens a well-organized digital filing cabinet to anyone with the code. No safe needs cracking, no lasers need dodging. Just a bit of classic misdirection.For NGOs, think tanks, and human rights organizations—especially those working in and around Ukraine—this isn’t a hypothetical threat. Researchers at Volexity, the firm blowing the whistle here, noted that these attacks specifically targeted staff with experience on Ukrainian issues, using highly credible pretexts and platforms. One outreach might pose as a French ambassador’s aide; another claims to set up a confidential meeting with European officials.
So, beyond the embarrassment of getting duped, the real risk is exposure of sensitive intel, disruption of operations, and—worst of all—the further endangerment of vulnerable communities relying on the security of these organizations.
And for IT professionals everywhere, the lesson is grimly evergreen: human error, abetted by clever social engineering, remains the weakest link.
The Usual Suspects, With a New Script
According to Volexity, the threat actors involved (UTA0352 and UTA0355—stock up on the acronyms, folks) aren’t yet officially mapped to the major Russian APT (advanced persistent threat) groups, but their MO overlaps with campaigns previously seen leveraging Microsoft’s Device Code Authentication flows. In that earlier campaign, hackers convinced users to surrender codes meant to let TVs and similar non-keyboard gadgets access resources—a trick as ingenious as it is unsettling.In short, the hackers have gotten creative, repurposing legitimate authentication flows in ways that make a mockery of “zero trust” unless everyone in your org has a healthy distrust of literally every click.
Realistically, if your average user can’t comply with two-factor without glue notes, is it any wonder these campaigns work?
Microsoft 365—the World’s Favorite Target
Let’s be honest: Microsoft 365 is a deliciously tempting target for cybercriminals. It’s everywhere, from dusty nonprofits and sprawling enterprises to humble community groups. Where else do you get email, shared files, call logs, and collaborative docs all behind a (sometimes figurative) single pane of glass? The sprawling attack surface makes it a perennial favorite.Oh, and don't get smug, IT admins: researchers at SecurityScorecard recently unearthed botnets leveraging password-spraying techniques—essentially, guessing weak passwords en masse—to brute-force M365 accounts. These attacks aren’t elegant, but they’re undeniably effective, especially when corporate password policies translate to "season + year + 123!"
At this point, we should all know the mantra: if security is not baked into every corner, your cloud is just a fog.
The Phishing Playbook: Messaging Apps, Urgency & Trust
What makes these campaigns particularly harrowing is the use of trusted, “secure” messaging apps as the initial delivery mechanism. Signal, WhatsApp, and others have gained their reputation as safer alternatives to email, so when an unsolicited but plausible message pops up, many users let their guard down. If the messenger seems like an official—especially in high-stakes political or humanitarian work—the mental “suspicious” filter may be turned off entirely.The attackers’ techniques reveal a nuanced grasp of social contexts. They know that in NGO and diplomatic circles, video meetings are routine, high priority, and sometimes urgent. The explicit connection to Ukraine, and plausible references to European officials, leverage both urgency and recent events to bypass skepticism.
This is not lazy phishing; it’s more like spear-fishing with live bait.
Real-World Implications: What IT Should Worry About
So, you’re an IT administrator or security lead at an NGO. What do these campaigns mean in practical terms?First, your “tips and tricks” carousel about suspicious emails won’t cut it for WhatsApp or Signal. You need bespoke phishing awareness for messaging platforms most users think are unphishable.
Second, these attacks raise the stakes for OAuth security. Too many organizations treat OAuth permissions as “click-through” territory. Rethink your application consent model, implement conditional access policies, and review audit logs like you’re looking for truffles in a forest.
Third, and perhaps most importantly, you can’t rely on technical defenses alone. Training staff to recognize not just traditional phishing, but plausible social engineering tactics involving apps and device codes, is now mission-critical. If a vendor tries to sell you security training that hasn’t been updated since “phishing” still implied email, send them packing.
Under the Hood: OAuth Abused
The cleverness of this latest threat is its exploitation of OAuth’s intent—an authentication dance designed for convenience over friction. Legitimate apps ask for codes to prove you own them, not to surrender the keys to your digital kingdom. But where people, speed, and pressure meet, attackers thrive.An OAuth code is just a number, until it isn’t. In the wrong hands (and with the right timing), it’s the skeleton key. Attackers no longer need to ask for passwords. Why bother, when you can get tokens directly by leaning into authentication flows users don’t understand?
Let’s face it: most end-users treat pop-up authentication prompts like Terms & Conditions pages. Accept, enter, move on. The industry’s hope, perhaps, is that eventually people will learn—but so far, that’s optimism bordering on fantasy.
Hidden Risks and Notable Strengths
What’s not in the headlines, but should be, is the slippery nature of trust boundaries in OAuth. Many organizations rely on third-party apps with far-reaching permissions. One staffer’s mistake can ripple through entire tenant environments, especially if overly broad scopes are granted by default. The principle of least privilege is too often ignored, especially in NGOs scrambling to deliver services.On the upside, increased scrutiny and reporting—like Volexity’s work—shines a light on attack chains and pushes vendors and customers alike to adopt more sophisticated defenses. And, to Microsoft’s credit, the attack surface exists because M365 is foundational to so many. Where there’s value, there are attacks, and the arms race for better defense continues.
Training? Vigilance? Or Both?
In the recommendations department, Volexity’s message is simple: organizations must train users to exercise both skepticism and vigilance, especially with unsolicited requests—even on messaging platforms considered secure. If that sounds repetitive, well… security advice persists because the alternative is much, much scarier.Organizations using Microsoft 365 need to realize that "business as usual" now means "risk as usual." It’s not enough to lock down passwords and enforce MFA. You must assume that creative attackers are constantly testing new methods, that your staff’s muscle memory is a target, and that the cloud’s greatest weakness might be the social user floating somewhere between HR and the coffee machine.
Opportunities for Improvement (That Aren’t Just Wishful Thinking)
Emerging from this cycle of attacks are several critical areas for improvement:- Limiting Application Consent: Most organizations allow users to authorize new OAuth apps far too freely. Enforce admin approval for new app connections—yes, even if this means an extra step for staff.
- Conditional Access Policies: If you aren’t running device and location checks before accepting new app grants, you’re playing with fire.
- Security Awareness for the Messaging Age: Security training must keep up with users’ habits. Include messaging apps, not just email, in your drills and simulations.
- Logging and Alerting: Know when OAuth flows are being abused. Detailed logs and tuned alerts are worth their weight in cyber-gold.
- Zero Trust isn’t Just a Slogan: Apply granular controls to all cloud access, especially when privileged admin or sensitive data is in play.
For IT Professionals: Takeaways That Actually Matter
Here’s what distinguishes the best-prepared organizations from those just one video call away from disaster:- Know your environment’s OAuth settings like you know your favorite coffee order.
- Train users to question, question, question—especially when urgency and authority collide in unexpected places.
- Invest in up-to-date training. Stale advice is more dangerous than none.
- Work with vendors who understand modern threat models, not just 2002’s viruses.
- Assume attackers are familiar with your workflows. Because they probably are.
The Bottom Line: If It Looks Like a Video Call, Smells Like a Video Call…
…maybe fact-check before you click. The social engineering arms race isn’t slowing, and the responsibility for security now rests with every user, not just those behind policy screens.For those of us who spend our days defending the indefensible, the message is clear: vigilance can’t be delegated. If training hasn’t included WhatsApp, Signal, and OAuth bingo, it’s time to update your playbooks. And remember: in the Microsoft 365 world, your next “urgent” meeting invite could be a wolf in sheep’s bandwidth.
May your codes stay secure and your video calls boring. If they aren’t, at least make sure you’re not the next headline.
Source: The Record from Recorded Future News Beware of video call links that are attempts to steal Microsoft 365 access, researchers tell NGOs
