Microsoft has identified sophisticated phishing campaigns that abuse OAuth's legitimate redirect functionality to deliver malware to government and public-sector organizations, bypassing conventional email and browser defenses.
Microsoft has issued a warning about a sophisticated phishing campaign that exploits OAuth's legitimate redirect functionality to deliver malware to government and public-sector organizations. The attacks bypass conventional email and browser defenses by abusing standard OAuth behavior rather than exploiting vulnerabilities or stealing credentials directly.
How the Attack Works
The threat actors begin by creating malicious applications within tenants under their control. These applications are configured with redirect URLs pointing to rogue domains that host malware. The attackers then distribute OAuth phishing links that instruct recipients to authenticate using intentionally invalid scopes.
When victims click these links and attempt authentication, they're redirected through the OAuth flow to attacker-controlled infrastructure. This results in users inadvertently downloading and infecting their own devices with malware.
Malware Delivery Chain
The malicious payloads are distributed as ZIP archives containing multiple components:
- A Windows shortcut (LNK) file that executes PowerShell commands immediately upon opening
- An MSI installer that drops decoy documents to mislead victims
- A malicious DLL named "crashhandler.dll" that's side-loaded using the legitimate "steam_monitor.exe" binary
- A file named "crashlog.dat" that contains the final payload
The PowerShell payload conducts host reconnaissance by running discovery commands. The DLL decrypts and executes the final payload in memory, establishing an outbound connection to an external command-and-control (C2) server.
Attack Lures and Distribution
The phishing emails use various themes to trick users into clicking malicious links, including:
- E-signature requests
- Teams recordings
- Social security information
- Financial documents
- Political content
These emails are sent via mass-sending tools and custom solutions developed in Python and Node.js. The malicious links appear either directly in the email body or within attached PDF documents.
To increase credibility, attackers pass the target email address through the state parameter using various encoding techniques. This allows the email address to be automatically populated on the phishing page. "The state parameter is intended to be randomly generated and used to correlate request and response values, but in these cases it was repurposed to carry encoded email addresses," Microsoft explained.
Multiple Attack Vectors
While some campaigns use this technique to deliver malware directly, others send users to pages hosted on phishing frameworks like EvilProxy. These act as adversary-in-the-middle (AitM) kits to intercept credentials and session cookies, providing attackers with both authentication tokens and session data.
Microsoft's Response and Recommendations
Microsoft has removed several malicious OAuth applications identified during their investigation. The company recommends organizations implement the following security measures:
- Limit user consent for applications
- Periodically review application permissions
- Remove unused or overprivileged applications
- Monitor for suspicious OAuth application activity
- Implement conditional access policies that restrict authentication to trusted applications
The attack demonstrates how threat actors are increasingly leveraging legitimate platform features rather than exploiting vulnerabilities. By abusing OAuth's standard redirect functionality, attackers can create URLs that appear benign while ultimately leading to malicious destinations.
This technique represents a significant evolution in phishing attacks, as it bypasses many conventional security controls that focus on detecting malicious URLs or suspicious email patterns. Organizations need to adapt their security posture to account for these identity-based threats that exploit the normal operation of trusted authentication systems.
Keywords: Microsoft, OAuth, phishing, malware, government targets, Entra ID, Google Workspace, cybersecurity, command and control, ransomware
Comments
Please log in or register to join the discussion