Researchers say attackers are abusing Microsoft and Google login workflows to hijack accounts through event-themed lures.
According to Cyber Press, a Russian-linked threat actor tracked as UTA0355 is running credential theft campaigns that impersonate legitimate European security conferences. The group used phishing emails and cloned event registration pages to trick targets into approving Microsoft OAuth and Device Code authentication requests. In one case, attackers exploited an existing email conversation related to the Belgrade Security Conference to deliver a malicious Microsoft authorization link that ultimately allowed account takeover.
The campaigns focused on individuals involved in foreign policy, security research, and diplomatic work. Attackers embedded phishing messages into ongoing email threads to appear legitimate, then redirected victims to fake registration portals. In the Belgrade Security Conference incident, victims were asked to share a full browser URL containing an OAuth authorization code, which gave attackers access to the account. After the compromise, the attackers registered rogue devices in Microsoft Entra ID and logged in using Android user agents and proxy infrastructure. A second wave impersonated the Brussels Indo Pacific Dialogue, using a cloned domain to abuse Microsoft Device Code authentication. Targets using high-value enterprise domains were served full login phishing pages, while others were shown fake confirmation screens.
Researchers say the actor relies heavily on trust-building tactics, including follow-up messages sent through WhatsApp or Signal that pose as event organizers. Researchers noted that once access is gained, the attackers attempt to blend in by naming devices after legitimate systems and routing traffic through residential proxy services. The firm warned that OAuth and Device Code flows remain attractive because they allow attackers to bypass traditional credential theft methods while appearing legitimate to users. Researchers advised organizations to review conditional access policies and closely monitor unusual device registrations.
According to GBHackers, analysis suggests the threat actor tracked as UTA0355 is not limiting its activity to a single campaign. The group is believed to be “experimenting with infrastructure for other significant events,” pointing to broader preparation beyond what has already been observed.
The analysis found that UTA0355’s “sustained investment in realistic event-themed lures,” combined with “multi-channel communication via email and messaging apps” and the “abuse of trusted cloud authentication flows,” reflects both the actor’s resources and how effective these techniques continue to be against high-value targets.
Across these operations, UTA0355 was observed systematically expanding its target pool by asking non-attending invitees to share contact details of colleagues who might be interested, effectively “crowdsourcing a curated victim list.” Access to compromised accounts is then routed through proxy networks, further obscuring attribution and attacker location
Events provide credible context, trusted branding, and natural reasons for users to interact with registration links and authentication prompts.
OAuth abuse often relies on users approving access or sharing codes rather than entering passwords, which can bypass some security controls.
Using WhatsApp or Signal reinforces legitimacy and allows attackers to guide victims through the process in real time.
Unexpected device registrations, sign-ins from unfamiliar platforms, and authentication activity tied to event-themed domains.
They should verify event links independently, avoid sharing browser URLs or codes, and confirm login requests through trusted channels before approving them