Microsoft warns of OAuth abuse scams targeting government and public-sector organizations through phishing emails and URL redirects that deliver malware rather than steal access tokens.
SECURITY Phish of the day: Microsoft OAuth scams abuse redirects for malware delivery
Crims hope for payday from malicious payloads rather than stealing access tokens
Jessica Lyons Tue 3 Mar 2026 // 00:33 UTC
Microsoft has warned organizations about ongoing OAuth abuse scams that use phishing emails and URL redirects to infect victims' machines with malware and take over their devices. The phishing expedition targets government and public-sector organizations, according to a Monday report from Redmond's security researchers.
And while Microsoft Entra disabled the malicious OAuth applications, Microsoft's infosec squad warned "related OAuth activity persists and requires ongoing monitoring."
Microsoft declined to answer The Register's inquiries, including questions about the size and scope of these campaigns.
OAuth, which stands for Open Authorization, is a commonly used standard for online authorization using third-party credentials. If a website offers the chance to sign in with a Google, Facebook, or Apple account, it's probably using OAuth, and relies on the standard's use of access tokens to make it happen.
OAuth has a legitimate feature that allows identity providers to redirect users to a landing page in some scenarios, usually when an error is triggered. The campaigns observed by Microsoft all take advantage of this feature.
Criminals can abuse the feature by creating URLs with Microsoft Entra ID, Google Workspace, or another identity provider that redirect users to attacker-controlled landing pages where they unknowingly download malware.
In one campaign documented by Microsoft, the miscreants attempted to deliver a malicious payload containing an executable file that gave attackers full access to the victim's endpoint.
All of these campaigns begin with a phishing email, the text of which includes e-signature requests, the chance to access recordings of Teams meetings, Microsoft 365 password reset instructions, and political themes to trick users into clicking the malicious link.
"Indicators suggest these actors used free prebuilt mass-sending tools as well as custom solutions developed in Python and Node.js," Redmond wrote. "In some cases, cloud email services and cloud-hosted virtual machines were used to distribute the messages."
The attackers typically embedded the malicious URLs in the body of emails they send to would-be victims, but in some cases they put the URL and lure inside a PDF attachment.
The attack redirects victims from an OAuth authentication page to phishing-as-a-service websites such as EvilProxy, allowing the digital thieves to intercept users' credentials and session cookies.
The attackers abuse OAuth redirect behavior by sending phishing links that will trigger an error by using a combination of crafted parameters. Here's what one URL crafted for Entra ID looks like:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize ?client_id= &response_type=code &scope= &prompt=none &state=
"At first glance, this looks like a standard OAuth authorization request, but several parameters are intentionally misused," Microsoft's threat hunters wrote.
It's important to note that the criminals aren't stealing users' access tokens in these campaigns because the user has not granted the application permission to access a resource. However, stealing tokens isn't the point of the scam. It's intended to force an error code during sign-in that will then redirect victims to a landing page that hosts malicious payloads.
Supply chain attacks now fuel a 'self-reinforcing' cybercrime economy
One token to pwn them all: Entra ID bug could have granted access to every tenant
Crims hit the easy button for Scattered-Spider style helpdesk scams
Double whammy: Steaelite RAT bundles data theft, ransomware in one evil tool
"By hosting the payload on an application redirect URI under their control, attackers can quickly rotate or change redirected domains when security filters block them," Microsoft wrote.
In one such campaign, the redirect sent victims to a /download/XXXX path that automatically downloaded a ZIP file onto their device. Payloads included ZIP archives containing LNK shortcut files and HTML smuggling loaders, we're told.
When victims opened the LNK shortcut file, it led to execution of a PowerShell command that first ran discover commands on the machine for reconnaissance purposes. It then launched a legitimate file – steam_monitor.exe – which was abused to side-load a malicious DLL file, crashhandler.dll.
"That DLL decrypted crashlog.dat and executed the final payload in memory, ultimately establishing an outbound connection to an external C2 endpoint," according to Redmond.
®
No more fake tech news! Add The Register to your Preferred Sources in Google Search
More about Cybercrime Malware Microsoft
More like these
1 COMMENTS
TIP US OFF
Send us news
Comments
Please log in or register to join the discussion