Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU

UTA0307

Also known asuta0307

UTA0307 is a Russia-aligned threat actor cluster referenced in reporting on Microsoft 365-focused phishing and authentication abuse. The content directly associates UTA0307 with device code phishing activity, alongside other Russia-aligned groups including Storm-2372, APT29, UTA0304, and UNK_AcademicFlare. This tradecraft abuses Microsoft’s legitimate OAuth device authorization flow by sending victims to the real microsoft[.]com/devicelogin endpoint and tricking them into entering attacker-supplied device codes, resulting in issuance of access and refresh tokens that can enable persistent account access even after password resets. Reported targeting tied to these broader Russia-aligned device code phishing operations includes Microsoft 365 users at organizations in the United States, Canada, Australia, New Zealand, and Germany, spanning construction, non-profit, real estate, manufacturing, financial services, healthcare, legal, and government sectors, as well as government, think tanks, higher education, transportation, Ukraine-related, and human rights-linked targets in the U.S. and Europe. The content also notes that Volexity did not rule out possible links between separate Microsoft OAuth social-engineering activity and APT29, UTA0304, and UTA0307, but does not provide a firm attribution for that activity to UTA0307. Known alias in the provided content: uta0307.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Capital Goods
  • Financial Services
  • Health Care Equipment & Services
  • Commercial & Professional Services
  • Software & Services
  • Real Estate Management & Development

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
  • 🇨🇦 Canada
  • 🇦🇺 Australia
  • 🇳🇿 New Zealand
  • 🇩🇪 Germany

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics6 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1566
Phishing
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
1 technique
T1528
Steal Application Access Token
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.