THREAT OPS › Threat News › Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
<p><!-- START MG ACF TO CONTENT --></p> <div style="display: none;"> <section class="mgpb-hero mgpb-hero--detail mgpb-hero--light-blue mgpb-hero--background-image mgpb-hero--image"> <div class="mgpb-hero__container container"> <div class="row"> <div class="col-12"> <div class="mgpb-hero__inner d-flex flex-column flex-lg-row align-items-center"> <div class="mgpb-hero__content"> <div></div> </p></di
MITRE ATT&CK techniques
Indicators of compromise
- https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?state=https://mae.gov.ro/url
- https://login.microsoftonline.com/common/oauth2/authorize?redirect=https://zoom.us/j/<snip>&client_id=aebc6443-996d-45c2-90f0-388ff96faa56&resource=https://graph.microsoft.com&response_type=code&redirect_uri=https://vscode-redirect.azurewebsites.net&login_hint=<removed>&ui_locales=en-US&mkt=en-US&client-request-id=<removed>url
- http://127.0.0.1:9217/callback?code=1.ARsAIGLD9ki0FE63WmhS-KbgFENkvK5tmXurl
- https://login.microsoftonline.com/common/oauth2/authorize?url=https://teams.microsoft.com/url
- https://login.microsoftonline.com/WebApp/CloudDomainJoin/8?code=url
- https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/url
- https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?state=url
- https://insiders.vscode.dev/redirecturl
- https://login.microsoftonline.com/common/oauth2/authorize?redirect=url
- https://graph.microsoft.com&response_type=code&redirect_uri=https://vscode-redirect.azurewebsites.net&login_hint=url
- email@address.hereemail
- 2flogin.microsoftonline.comdomain