In early 2025, Volexity noticed a troubling trend: Russian threat actors were targeting organizations by exploiting Microsoft 365 OAuth and Device Code authentication workflows. These actors created fake websites impersonating legitimate international security events to trick users into granting unauthorized access to their accounts. Notably, they used the Belgrade Security Conference (November 17-19, 2025) and the Brussels Indo-Pacific Dialogue (December 2, 2025) as bait. The attackers employed techniques like rapport-building phishing, where they established benign communications with victims before sending phishing links, and guiding users through the process via messaging apps like WhatsApp and Signal. One specific incident involved a user whose Microsoft 365 account became compromised after receiving a spear-phishing email that continued a legitimate conversation about the Belgrade Security Conference. The attacker communicated through WhatsApp, posing as a colleague, and used a phishing link that led to a Microsoft OAuth page. Once the user logged in, they were redirected to a blank page, where the attacker asked for the URL to "finalize registration." This led to the attacker accessing various files through Microsoft 365, using a device that masqueraded as the user's own, raising suspicion due to the device's claimed identity. Volexity also tracked another campaign from the same threat actor, UTA0355, where emails appeared to come from a representative of the Centre for Security, Diplomacy, and Strategy at Vrije Universiteit Brussel. These emails invited recipients to participate in the Brussels Indo-Pacific Dialogue, targeting individuals involved in foreign policy or with government experience. The phishing messages linked to a newly created website, bsc2025.org, which further facilitated the attacks. Users were prompted to register using corporate emails, leading to either benign redirection or an OAuth phishing workflow, depending on the email domain provided. This multi-faceted approach demonstrates the attackers' adaptability and the persistent risk they pose to organizations engaged in international security discussions.