European Events Used by Russian Hackers in Targeted Phishing Campaigns

Volexity has uncovered new Russian-linked phishing campaigns exploiting Microsoft and Google authentication workflows, continuing a pattern of account compromise attacks first exposed by the firm earlier in 2025.

The threat actor, tracked as UTA0355, has launched sophisticated credential theft operations masquerading as registration portals for legitimate European security events.

Belgrade Security Conference Campaign

In October 2025, Volexity investigated an incident involving a compromised Microsoft 365 account linked to the Belgrade Security Conference (BSC).

The attack began with a spear-phishing email embedded in an existing conversation thread between legitimate contacts. The email contained a Microsoft OAuth authorization link that redirected victims to a fake registration page.

Once users were authenticated, they were unknowingly redirected to a blank page containing an OAuth code in the browser URL.

The attacker, posing as a conference organizer over WhatsApp, instructed the target to “share the full URL” to finalize registration, effectively handing over the authorization code needed to hijack their account.

After gaining access, UTA0355 registered a fake device in Microsoft Entra ID, mimicking the user’s legitimate system name.

Logins originated from Android devices using the Dalvik/2.1.0 user agent and proxy IPs, indicating post-compromise operational security measures.

A later phishing wave used a cloned domain, bsc2025[.]org, to harvest enterprise credentials. Targets entering non-priority email domains were shown mock registration confirmations, while valuable domains triggered a full Microsoft 365 login phish.

Brussels Indo-Pacific Dialogue Deception

The second campaign impersonated organizers of the Brussels Indo-Pacific Dialogue (BIPD), hosted by the Centre for Security, Diplomacy, and Strategy (CSDS) in Belgium.

Threat emails invited analysts, diplomats, and policymakers to participate in the forum, later directing them to brussels-indo-pacific-forum[.]org, a fake registration site.

The phishing flow abused Microsoft’s Device Code authentication to extract verification codes, a technique similar to one demonstrated in open-source proof-of-concept tools.

Volexity’s telemetry linked this activity to domains registered through Dynadot, including ustrs[.]com, and additional infrastructure spoofing the World Nuclear Exhibition.

Most malicious sign-ins were routed through U.S.-based residential proxy addresses, suggesting an effort to conceal attribution.

According to Volexity, UTA0355 maintains persistence and success through rapport-building tactics, fake websites, and cross-channel communications via Signal and WhatsApp.

Attackers also expand their target lists by soliciting referrals when potential victims decline to participate.

Volexity concludes that abuse of OAuth and Device Code authentication flows remains a favored technique among Russian cyber-espionage actors due to its effectiveness and stealth.

The firm warns organizations, especially those involved in foreign policy and security sectors, to remain vigilant against phishing tied to real-world events.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post European Events Used by Russian Hackers in Targeted Phishing Campaigns appeared first on Cyber Security News.