Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

UTA0355

Also known asUTA0355

UTA0355 is a Russian threat actor tracked by Volexity and described in the provided content as state-affiliated and engaged in cyber-espionage. The actor has targeted Microsoft 365 and Google environments, including employees of organizations connected to Ukraine, NGOs, human rights advocates, foreign policy personnel, and individuals associated with European security events. Reported lures included fake or impersonated security and policy events such as the Belgrade Security Conference and the Brussels Indo-Pacific Dialogue, as well as invitations to Ukraine-related meetings. In some cases, initial outreach came from compromised Ukrainian government email accounts, followed by one-on-one social engineering over WhatsApp and Signal, including "live support" to guide victims through the attack flow. The actor abuses legitimate Microsoft OAuth 2.0 and Device Code authentication workflows rather than relying on malware or attacker-controlled OAuth applications. Reported tradecraft includes sending victims Microsoft-owned authorization URLs, convincing them to share Microsoft-generated OAuth authorization codes or URLs containing those codes, and using the stolen authorization code to obtain access to Microsoft 365 resources. Volexity reported that in an April 2025 variant, UTA0355 used a stolen OAuth authorization code to register a new device in Microsoft Entra ID and then socially engineered the victim into approving a 2FA prompt, enabling access to the victim's email. Separate reporting in the content states UTA0355 registered unauthorized rogue devices to steal Microsoft Graph API tokens and used tooling closely matching ROADtools token-management capabilities. Volexity also observed post-compromise access via proxy networks and device registrations designed to resemble legitimate victim devices. The content also explicitly associates UTA0355 with device code phishing activity and with campaigns spoofing European security events to steal Microsoft 365 OAuth tokens. No additional aliases or sub-groups beyond the name UTA0355 are directly provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics9 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566×4
Phishing
TA0003
Persistence
1 technique
T1098
Account Manipulation
T1098.005
Device Registration
TA0004
Privilege Escalation
1 technique
T1098
Account Manipulation
T1098.005
Device Registration
TA0006
Credential Access
3 techniques
T1528
Steal Application Access Token
T1621
Multi-Factor Authentication Request Generation
T1649×2
Steal or Forge Authentication Certificates
TA0007
Discovery
1 technique
T1526
Cloud Service Discovery
IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
security online infoNews
May 28, 2026
ROADtools Cloud Attack Toolkit: Threat Intelligence Report

Observed in early 2025 phishing activity using ROADtools-related tradecraft to register rogue devices and steal Microsoft Graph API tokens.

Read more
cyber security newsNews
May 27, 2026
ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls - Cyber Security News

Conducted a phishing campaign using tooling closely matching ROADtools token management capabilities in Microsoft cloud environments.

Read more
bleeping computerNews
Apr 1, 2026
New EvilTokens service fuels Microsoft device code phishing attacks

Referenced as a Russian threat group that has used device code phishing attacks to hijack Microsoft accounts.

Read more
security online infoNews
Dec 8, 2025
Russian APT UTA0355 Steals Microsoft 365 OAuth Tokens via Fake Security Conference Lures and WhatsApp Support

Steals Microsoft 365 OAuth tokens using fake security conference lures and WhatsApp-based support/social engineering.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.