Russian Threat Actor UTA0355 Spoofs European Security Events in OAuth Phishing Campaigns
Volexity reports that Russian threat actor UTA0355 is conducting targeted phishing campaigns abusing Microsoft 365 OAuth and Device Code authentication workflows, spoofing legitimate European security events.
In early 2025, Volexity published two blog posts detailing a new trend among Russian threat actors targeting organizations through the abuse of Microsoft 365 OAuth and Device Code authentication workflows to gain access to Microsoft user accounts. Despite detailing these activities publicly, Volexity continues to see similar techniques being leveraged by Russian threat actors to heavily target both Microsoft and Google environments. While the techniques are similar, what changes is the variety of methods and themes used to target and socially engineer users.
In this blog post, Volexity explores two new campaigns observed abusing the OAuth and Device Code authentication workflows to phish credentials from end users. These attacks involved the creation of fake websites masquerading as legitimate international security events taking place in Europe, with the aim of tricking users who registered for these events into granting unauthorized access to their accounts. The following real events were used for this purpose in the campaigns observed by Volexity: Belgrade Security Conference (November 17-19, 2025) and Brussels Indo-Pacific Dialogue (December 2, 2025).
These campaigns used various methods to ensure success, including rapport-building phishing, where the attacker establishes communications with victims without sharing malicious content initially, only later sending a phishing link once the targeted user has confirmed their interest. The attacker also creates dedicated, polished, and professional-looking fake websites to help facilitate attacks. Additionally, the attacker offers to provide live support to targeted users via messaging apps like WhatsApp and Signal to ensure they correctly return the URL in the case of OAuth phishing workflows.
Volexity attributes these new campaigns to the Russian threat actor it tracks as UTA0355, the same threat actor previously reported on in April 2025 by Volexity. In October 2025, Volexity worked an incident where a user's Microsoft 365 account had been identified as compromised following the detection of anomalous login activity. An investigation found the user had received a spear-phishing email leading to an OAuth authentication workflow. The email came from an account the user had recently corresponded with, and it was a continuation of an existing and legitimate thread related to the upcoming Belgrade Security Conference.
The attacker had been actively communicating with the targeted user on WhatsApp under two different identities related to the conference, both of which had been compromised. After successfully phishing the user, the attacker used the user's Microsoft account to access a wide variety of files through Microsoft 365. Not long after this highly targeted operation, Volexity observed broader targeting from an attacker-created Gmail account sending spear-phishing messages to a variety of targets, linking to a newly created website bsc2025[.]org that masqueraded as a dedicated domain for the Belgrade Security Conference.
These attacks highlight the evolving sophistication of Russian threat actors in abusing legitimate authentication workflows and social engineering tactics. Organizations should be vigilant about verifying the authenticity of event registration links and be cautious of unsolicited communications via messaging apps. Volexity recommends implementing conditional access policies and monitoring for anomalous OAuth consent grants to mitigate such threats.