Russian threat actors have been exploiting legitimate OAuth 2.0 authentication flows to hijack Microsoft 365 accounts belonging to employees of Ukrainian and human rights organizations. The attackers pose as European officials and contact their targets via WhatsApp and Signal, tricking them into providing Microsoft authorization codes or clicking on malicious links to collect login information and one-time access codes. Volexity, a cybersecurity company, first observed this activity in early March and has tracked two threat actors, UTA0352 and UTA0355, who are believed to be Russian. To prevent such attacks, Volexity recommends setting up alerts for client ID login in Visual Studio Code and restricting access to specific domains.