Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacks
Russian threat actor UTA0355 is conducting targeted phishing campaigns against foreign policy and government professionals by spoofing European security conferences. The attackers use rapport-building techniques and out-of-band messaging to trick victims into authorizing malicious Microsoft 365 OAuth applications and Device Code workflows, granting unauthorized access to their accounts.
Authors: Matthew Meltzer, Steven Adair, Tom Lancaster
Source:Volexity
- domainbrussels-indo-pacific-forum[.]orgFake website impersonating the Brussels Indo-Pacific Dialogue used for credential phishing.
- domainbsc2025[.]orgFake website impersonating the Belgrade Security Conference used for credential phishing.
- domainconfirmyourflight-parisaeroport[.]comSuspected UTA0355 infrastructure registered with the same email service.
- domainustrs[.]comMalicious domain used to host unique phishing links for the BIPD campaign.
- domainwne-2025[.]comSuspected UTA0355 infrastructure masquerading as the World Nuclear Exhibition.
- domainworld-nuclear-exhibition-paris[.]comSuspected UTA0355 infrastructure masquerading as the World Nuclear Exhibition.
- emailinvitationbipd[@]outlook[.]comSender address used in the Brussels Indo-Pacific Dialogue phishing campaign.
- emailsbunya[@]mailum[.]comEmail address used by the threat actor to register malicious infrastructure.
- urlhxxps://brussels-indo-pacific-dialogue[.]ustrs[.]com/Base URL for unique phishing links sent to BIPD targets.
- urlhxxps://login[.]microsoft[.]com/common/oauth2/authorize?client_id=29d9ed98-a469-4536-ade2-f981bc1d605e&resource=01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9&redirect_uri=https%3A%2F%2Flogin[.]microsoftonline[.]com%2FWebApp%2FCloudDomainJoin%2F8&response_type=code&amr_values=ngcmfa&login_hint=[user]Malicious OAuth authorization URL used to steal access tokens.
- urlhxxps://login[.]microsoftonline[.]com/common/reprocess?ctx=rQQIARAAJU3P[snipped]m5T2D81&sessionId=941739c9[snipped]2e06bf63f947Microsoft 365 phishing workflow URL used in the BSC campaign.
Detection / HunterGoogle
What Happened
A Russian hacking group known as UTA0355 is targeting foreign policy experts and former government officials by pretending to host European security conferences. The attackers send realistic invitations and even chat with victims on WhatsApp or Signal to build trust. Eventually, they trick the victims into clicking links that secretly grant the hackers access to their Microsoft 365 email and files. This is highly dangerous because it bypasses normal password protections. Organizations should educate their staff about these sophisticated event-themed lures and monitor for unusual account access.
Key Takeaways
- Russian threat actor UTA0355 is conducting highly targeted phishing campaigns spoofing European security events.
- The attacks abuse Microsoft 365 OAuth and Device Code authentication workflows to bypass traditional credential theft defenses.
- Attackers employ rapport-building techniques, including out-of-band communication via WhatsApp and Signal, to guide victims through the malicious workflows.
- Fake, polished websites are created to impersonate legitimate conferences like the Belgrade Security Conference and Brussels Indo-Pacific Dialogue.
Affected Systems
- Microsoft 365
- Microsoft Entra ID
Attack Chain
The attacker initiates contact via a compromised account or spoofed email, inviting the target to a fake security conference. They build rapport, sometimes moving communication to WhatsApp or Signal. Once trust is established, the victim is directed to a polished fake registration website requiring a corporate email. Upon registration, the victim is redirected to a legitimate-looking Microsoft 365 login page that initiates an OAuth or Device Code authentication workflow. If the victim completes the prompt, the attacker receives an authentication token, granting them persistent access to the victim's Microsoft 365 environment, often registering a new device in Entra ID to maintain access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but mentions indicators are available on the Volexity threat intelligence platform.
Detection Engineering Assessment
EDR Visibility: Low — This is primarily an identity and cloud-based attack; EDR on the endpoint will see minimal malicious activity other than browser traffic to legitimate Microsoft login URLs. Network Visibility: Medium — Network logs might show traffic to the fake conference domains, but the actual credential theft happens over encrypted Microsoft channels. Detection Difficulty: Hard — The phishing uses legitimate Microsoft authentication endpoints and workflows, making it difficult to distinguish from normal user logins without strict conditional access policies.
Required Log Sources
- Azure AD Sign-in Logs
- Azure AD Audit Logs
- Microsoft 365 Unified Audit Log
- Email Gateway Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for new device registrations in Entra ID where the device name exactly matches an existing device but the OS or User-Agent differs (e.g., an iPhone name with an Android User-Agent). | Azure AD Audit Logs | Persistence | Low |
| Evaluate Azure AD sign-in logs for successful authentications involving the 'Microsoft Authentication Broker' application from unusual IP addresses or proxy networks. | Azure AD Sign-in Logs | Credential Access | Medium |
| Search email gateway logs for messages containing links to newly registered domains themed around security conferences or policy dialogues. | Email Gateway Logs | Initial Access | Medium |
Control Gaps
- Standard MFA (bypassed via OAuth/Device Code)
- Email filtering (bypassed via compromised accounts and rapport building)
Key Behavioral Indicators
- User-Agent: Dalvik/2.1.0 (Linux; U; Android 14; 2211133C Build/UKQ1.230705.002) ;Xiaomi
- Cookie: cookie_reg containing Base64-encoded email
- Entra ID device registration matching existing device names exactly
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider reviewing Entra ID for recently registered devices and revoke access for any suspicious or duplicate device names.
- Evaluate whether to block the identified malicious domains and URLs at your secure web gateway or firewall.
Infrastructure Hardening
- Consider restricting user consent for third-party OAuth applications in Microsoft 365 to prevent unauthorized access.
- Evaluate implementing Conditional Access policies that restrict logins from unknown or proxy IP addresses.
- If applicable, consider disabling the Device Code authentication flow in Microsoft Entra ID if it is not required for business operations.
User Protection
- Consider enforcing phishing-resistant MFA (e.g., FIDO2 security keys) to mitigate the risk of OAuth and Device Code phishing.
Security Awareness
- Consider training users on the risks of out-of-band communication (WhatsApp, Signal) for business purposes.
- Evaluate updating security awareness training to include examples of OAuth consent phishing and Device Code prompts.
MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1566.003 - Phishing: Spearphishing via Service
- T1528 - Steal Application Access Token
- T1098 - Account Manipulation
- T1586.002 - Compromise Accounts: Email Accounts
Additional IOCs
- Domains:
world-nuclear-exhibition-paris[.]com- Suspected UTA0355 infrastructure masquerading as the World Nuclear Exhibition.wne-2025[.]com- Suspected UTA0355 infrastructure masquerading as the World Nuclear Exhibition.confirmyourflight-parisaeroport[.]com- Suspected UTA0355 infrastructure registered with the same email service.
- Urls:
hxxps://login[.]microsoft[.]com/common/oauth2/authorize?client_id=29d9ed98-a469-4536-ade2-f981bc1d605e&resource=01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2FWebApp%2FCloudDomainJoin%2F8&response_type=code&amr_values=ngcmfa&login_hint=[user]- Malicious OAuth authorization URL used to steal access tokens.hxxps://login[.]microsoftonline[.]com/common/reprocess?ctx=rQQIARAAJU3P[snipped]m5T2D81&sessionId=941739c9[snipped]2e06bf63f947- Microsoft 365 phishing workflow URL used in the BSC campaign.hxxps://brussels-indo-pacific-dialogue[.]ustrs[.]com/- Base URL for unique phishing links sent to BIPD targets.