TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

mindgrub · 2025-02-13 · Read original ↗

ATT&CK techniques detected

38 predictions
T1566.002Spearphishing Link
100%
"screenshot of one of the observed spear - phishing messages is shown below. the “ sign in to microsoft teams ” button in the email body is a hyperlink that leads to the same https : / / www. microsoft. com / devicelogin url observed in the other campaign. the attack flow and end …"
T1566.002Spearphishing Link
100%
"] com 144. 172. 113. 77 medium chromeelevationservice [. ] com 167. 88. 162. 72 medium comms - net [. ] com 107. 189. 26. 199 high spoofing the united states department of state in early february 2025, volexity observed multiple spear - phishing campaigns targeting users with fak…"
T1566.002Spearphishing Link
99%
"is especially important to have a responsive target, as the threat actor has only 15 minutes to convince the target to enter the code that has been generated. a different device code oauth phishing technique volexity actually discovered the operations of uta0307 following a succe…"
T1566.002Spearphishing Link
99%
"to access applications within the m365 tenant for the us department of state. the invitation email was designed to look like a real invitation that would be sent from microsoft, as shown below. in this instance, the “ accept invitation ” hyperlink goes to https : / / www. microso…"
T1566.002Spearphishing Link
99%
"##vot and discover additional infrastructure it believes is likely operated by the group. the table below represents the list of infrastructure that volexity has tied to this threat actor. domain ip address confidence sen - comms [. ] com 107. 189. 27. 41 high afpi - sec [. ] com…"
T1566.002Spearphishing Link
99%
"##65 account. campaign 2 : m365 teams chat invitation cozylarch launched a second campaign, in which they targeted users with a fake invitation to join a microsoft teams chat named “ measuring influence operations ”. the email made it appear as though there were already 37 other …"
T1566.002Spearphishing Link
99%
"email was aimed at convincing the user to accept the invitation and enter a unique code provided in the phishing email. the link in the invitations would direct users to the microsoft device code authentication page. if the user entered the code provided in the phishing email, th…"
T1566.002Spearphishing Link
99%
"messaging application that offers the ability for users to self - host a server with functionality that includes group video chats. the “ invitation ” email sent is shown below. in fact, all hyperlinks in the email were linked to https : / / login. microsoftonline. com / common /…"
T1566.002Spearphishing Link
98%
"the threat actor to access to the user ’ s account. however, it is worth noting that this campaign was sent out of the blue, with no precursor or build up to the emails, so users would not be expecting these messages. even if they were to fall for the campaign, they would have to…"
T1566.002Spearphishing Link
98%
"the initial discovery of uta0304, volexity worked backwards from detecting a breach to identifying the above spear - phishing emails. in this case, the victim had engaged from the initial email and had several messages back and forth with uta0307 regarding a meeting being set up.…"
T1566.002Spearphishing Link
97%
"campaigns centered on discussing china ’ s foreign policy and china - european union relations. the email subject lines used in these various campaigns are listed below : trump and eu discussion on eastern europe and the caucasus discussion about donald trump ’ s new term discuss…"
T1566.002Spearphishing Link
96%
"##promising microsoft 365 accounts via device code authentication phishing. device code authentication phishing follows an atypical workflow to that expected by users, meaning users may not recognize it as phishing. recent campaigns observed have been politically themed, particul…"
T1566.002Spearphishing Link
96%
"how the account was compromised. a review of login activity showed the legitimate user had logged in and approved a multi - factor authentication ( mfa ) request. however, subsequent access was not from the legitimate user ’ s ip address. this caused volexity to initially suspect…"
T1078.004Cloud Accounts
95%
"time, volexity is tracking this activity under three different threat actors and assesses with medium confidence that at least one of them is cozylarch ( overlapping with darkhalo, apt29, midnight blizzard, cozyduke ). volexity is tracking the remaining activity under uta0304 and…"
T1566.002Spearphishing Link
94%
"common / oauth2 / deviceauth, the page used for the microsoft device code authentication workflow. clicking the link leads to the dialogue shown below. microsoft describes the purpose of this workflow as allowing ‘ ” users to sign in to input - constrained devices such as a smart…"
T1566.002Spearphishing Link
94%
"of a member of the european parliament who is on the committee on foreign affairs. the threat actor reached out to numerous individuals with personalized emails requesting a microsoft teams meeting to discuss donald trump and his impact on relations between the us and the europea…"
T1078.004Cloud Accounts
94%
"##304 and uta0307. it is possible that all the activity described in this blog post is a single threat actor, but despite the similar targeting, timing, and attack method, other observed components of the operations are different enough to be tracked separately, for now. from sec…"
T1566.002Spearphishing Link
92%
"chat room. this is where the email volexity had discovered came into play. the message was a ploy to fool the user into thinking they were being invited into a secure chat, when in reality they were giving the attacker access to their account. the generated device codes are only …"
T1566.002Spearphishing Link
92%
"multiple russian threat actors targeting microsoft device code authentication starting in mid - january 2025, volexity identified several social - engineering and spear - phishing campaigns by russian threat actors aimed at compromising microsoft 365 ( m365 ) accounts. these atta…"
T1566.002Spearphishing Link
91%
"##b - 20250211, and tib - 20250213. if you are interested in learning more about volexity ’ s services, including network security monitoring and incident response, or our leading memory forensics solutions, volexity surge collect pro for memory acquisition and volexity volcano f…"
T1566.002Spearphishing Link
90%
"secure chat application called element. the attacker then had the victim join an element server they controlled under the domain sen - comms [. ] com. this allowed the attacker to further communicate with the victim in real time and inform them they needed to click a link from an…"
T1111Multi-Factor Authentication Interception
80%
"pass a security check by copying a code and entering it on a subsequent page when the user clicks the “ next ” button, a new tab is opened with the real microsoft device code authentication interface that requests an authentication code. if the victim enters the code supplied by …"
T1566.002Spearphishing Link
75%
"and can be used to reliably detect phishing emails that may have been sent. using wireless proxy networks for email distribution volexity also noted that the sending ip address associated with each spear - phishing email was recorded in the headers. looking at the received header…"
T1556.006Multi-Factor Authentication
70%
"pass a security check by copying a code and entering it on a subsequent page when the user clicks the “ next ” button, a new tab is opened with the real microsoft device code authentication interface that requests an authentication code. if the victim enters the code supplied by …"
T1556.006Multi-Factor Authentication
69%
"was set up to automatically generate a new microsoft device code each time it was visited. the website was designed to appear as an official microsoft interstitial page before the user can join a microsoft teams meeting. the message that appears on the landing page ( shown below …"
T1566.002Spearphishing Link
69%
"an account. volexity noted this activity was likely scripted, as the user - agent string for later access and file downloads was the python user - agent string python - requests / 2. 25. 1. volexity then performed a detailed investigation into this incident, in an effort to ident…"
T1528Steal Application Access Token
60%
"the following entry : “ originaltransfermethod " : " devicecodeflow ", these values can be searched and filtered on in the entra admin center by adding filters for “ authentications protocol ” and “ original transfer method ”. the latter can be filtered in both interactive and no…"
T1111Multi-Factor Authentication Interception
57%
"was set up to automatically generate a new microsoft device code each time it was visited. the website was designed to appear as an official microsoft interstitial page before the user can join a microsoft teams meeting. the message that appears on the landing page ( shown below …"
T1566.002Spearphishing Link
55%
"/ devicelogin, which is a simple redirect that sends the user to https : / / login. microsoftonline. com / common / oauth2 / deviceauth. the redirect link takes the user to the microsoft device code oauth workflow, and it is the same url that uta0304 directly embedded in their ph…"
T1566.002Spearphishing Link
47%
"##id phishing workflows is that, when a deviceid code is generated, it is only valid for 15 minutes. having an interstitial page that automatically generates new codes means uta0307 does not have to worry about their phishing content expiring. uta0307 post - compromise activities…"
T1078.004Cloud Accounts
45%
"traditional sources of evidence and detection, both for a user and network defenders, are not present. for example : there is no “ malicious ” link or attachment. the only link is to the provider ’ s infrastructure ( in this case, microsoft ). this means users cannot easily ident…"
T1589.002Email Addresses
39%
". ] com leslytthomson @ gmail [. ] com mikedanvil @ gmail [. ] com sheilmagnett @ gmail [. ] com susannmarton @ gmail [. ] com these addresses are believed to be controlled by cozylarch and can be used to reliably detect phishing emails that may have been sent. using wireless pro…"
T1528Steal Application Access Token
37%
"and non - interactive sign - ins. the frequency and legitimacy of these values occurring in the sign - in logs for a particular organization may vary, as this is a legitimate microsoft feature. an organization can evaluate their risk and usage of these workflows, and potentially …"
T1566.002Spearphishing Link
36%
"##0eu3000u180eu3000 u180eu3000u180eu3000u180eu3000u180eu3000u180eu3000u180eu3000u180eu3000u180eu3000u180eu3000u180eu3000 u180eu3000u180eu3000u180e u061c cc : " < sheilmagnett @ gmail. com > the attacker attempted to make it appear as if the emails were from invites @ microsoft [.…"
T1078.004Cloud Accounts
36%
"being suspicious, and automated solutions detecting malicious emails will likely fail to do so for the same reason. users are generally less aware of attacks that leverage legitimate services, and may be even less aware when it comes to those that involve entering a device code r…"
T1586.002Email Accounts
35%
". ] com leslytthomson @ gmail [. ] com mikedanvil @ gmail [. ] com sheilmagnett @ gmail [. ] com susannmarton @ gmail [. ] com these addresses are believed to be controlled by cozylarch and can be used to reliably detect phishing emails that may have been sent. using wireless pro…"
T1566.002Spearphishing Link
32%
"##180eu3000u180eu3000 u180eu3000u180eu3000u180e u061c cc : " < sheilmagnett @ gmail. com > the attacker attempted to make it appear as if the emails were from invites @ microsoft [. ] com, and also set the reply - to header as invites @ microsoft [. ] com. however, the true addre…"
T1078.004Cloud Accounts
31%
"/ devicelogin, which is a simple redirect that sends the user to https : / / login. microsoftonline. com / common / oauth2 / deviceauth. the redirect link takes the user to the microsoft device code oauth workflow, and it is the same url that uta0304 directly embedded in their ph…"

Summary

Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried […]

The post Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication appeared first on Volexity.