Russian hackers have launched a sophisticated new phishing attack targeting Microsoft 365 users through popular messaging apps, posing as government officials connected to Ukraine to steal sensitive credentials.
At a Glance
- Russian threat actors are impersonating European political officials via WhatsApp and Signal to target organizations working on Ukraine and human rights issues
- The sophisticated attack uses OAuth phishing links that provide attackers with long-term access to Microsoft 365 accounts, even if passwords are changed
- Attackers begin by inviting targets to fake video conferences about Ukraine, then send PDF instructions with malicious authentication links
- Microsoft has thwarted $4 billion in fraud attempts between 2024-2025 and is actively working to combat these increasingly AI-enhanced attacks
Diplomatic Deception: How the Attack Works
Cybersecurity firm Volexity has uncovered a dangerous new phishing campaign targeting Microsoft 365 users, with attackers believed to be Russians posing as European political officials or diplomats. The sophisticated operation specifically targets employees of organizations working on Ukraine-related issues and human rights concerns. This represents a significant escalation in both the tactics and potential consequences of phishing attacks that threaten American and allied interests.
The attack begins with unsolicited messages through WhatsApp or Signal, where perpetrators claim to be representatives from various European diplomatic missions. The fraudulent communication invites targets to participate in a video call or conference about Ukraine-related matters, establishing a false sense of legitimacy. Once engagement is established, victims receive PDF instructions and an OAuth phishing URL designed to mimic legitimate Microsoft authentication processes.
Long-Term Account Compromise Through OAuth Exploitation
What makes this attack particularly dangerous is its use of OAuth technology—a legitimate authentication system used by Microsoft and other tech companies. Unlike traditional password theft, OAuth compromises grant attackers access tokens valid for up to 60 days. This persistence means changing passwords doesn’t revoke the attackers’ access to compromised Microsoft 365 resources, allowing them to maintain unauthorized access to emails, documents, and sensitive information.
The landing page created by attackers presents victims with an authentication code that appears legitimate but actually provides attackers with extended access to Microsoft services. This sophisticated approach exploits trusted workflows, making detection particularly challenging for security teams. The entire operation represents a calculated effort to gain intelligence on Ukraine-related matters, potentially supporting Russian information operations.
Microsoft’s Response to Escalating Cyber Threats
Microsoft has acknowledged the growing sophistication of such attacks and is actively working to protect its platforms. Between April 2024 and April 2025, the company thwarted $4 billion in fraud attempts, rejected 49,000 fraudulent partnership enrollments, and blocked approximately 1.6 million bot signup attempts per hour. The tech giant has also implemented numerous security measures across its products to combat these evolving threats.
“Cybercrime is a trillion-dollar problem, and it’s been going up every year for the past 30 years. I think we have an opportunity today to adopt AI faster so we can detect and close the gap of exposure quickly. Now we have AI that can make a difference at scale and help us build security and fraud protections into our products much faster,” said Kelly Bissell.
The company’s Digital Crimes Unit collaborates with law enforcement to disrupt malicious infrastructure used by criminals. In a significant countermeasure, Microsoft and the US Department of Justice have taken down over 180 websites related to a Russian threat actor called Star Blizzard since October 2024. This demonstrates the serious national security implications of these sophisticated phishing operations targeting American allies and interests.
Protecting Yourself from Advanced Phishing Attacks
Cybersecurity experts recommend several defensive measures to protect against these sophisticated attacks. Setting up conditional access policies that restrict access to authorized devices provides a crucial first line of defense. Enabling login alerts on Microsoft 365 accounts can immediately notify users of suspicious login attempts. Additionally, maintaining awareness of common phishing signs, such as unsolicited messages from unknown contacts requesting urgent action, remains essential.
“If I protect Microsoft, that’s good, but it’s not sufficient. In the same way, if Apple does their thing, and Google does their thing, but if we’re not working together, we’ve all missed the bigger opportunity. We must share cybercrime information with each other and educate the public. If we can have a three-pronged approach of tech companies building security and fraud protection into their products, public awareness, and sharing cybercrime and fraudster information with law enforcement, I think we can make a big difference,” added Bissell.
For organizations using Microsoft services, tools like Microsoft Defender XDR and Microsoft Sentinel offer robust protection against these threats. Adopting a zero-trust approach to all digital communications, especially those related to sensitive topics or requesting authentication, provides the best defense against increasingly sophisticated foreign-backed phishing campaigns targeting American interests and allies.
