Microsoft on Monday warned of phishing campaigns that utilize phishing emails and OAuth URL redirection mechanisms to bypass traditional phishing defenses implemented in email and browsers.
The company says the campaign targets government and public sector organizations, and the ultimate goal is to redirect victims to attacker-controlled infrastructure without stealing their tokens. This phishing attack is described as an identity-based threat that exploits OAuth’s standard design behavior, rather than exploiting software vulnerabilities or stealing credentials.
According to the Microsoft Defender Security Research Team, “OAuth includes legitimate functionality that allows identity providers to redirect users to specific landing pages under certain conditions, typically error scenarios or other defined flows.”
“An attacker can exploit this native functionality by constructing a URL using popular identity providers such as Entra ID or Google Workspace, which uses manipulated parameters and an associated malicious application to redirect the user to an attacker-controlled landing page. This technique allows the creation of URLs that appear benign but ultimately lead to malicious destinations.”
The starting point for an attack is a malicious application created by a threat actor within a managed tenant. The application is configured with a redirect URL pointing to a malicious domain hosting malware. The attacker then distributes an OAuth phishing link that instructs the recipient to authenticate to the malicious application using an intentionally invalid scope.
This redirection results in users accidentally downloading and infecting their devices with malware. According to Microsoft, the malicious payload is distributed in the form of a ZIP archive and, when unzipped, causes PowerShell execution, sideloading of DLLs, pre-ransom activities and keyboard interactions.
The ZIP file contains a Windows shortcut (LNK) that runs a PowerShell command as soon as you open it. PowerShell payloads are used to run discovery commands and perform reconnaissance on hosts. The LNK file extracts the MSI installer from the ZIP archive and then drops a decoy document to mislead the victim. Meanwhile, a malicious DLL (“crashhandler.dll”) is sideloaded using the legitimate “steam_monitor.exe” binary.
The DLL proceeds to decrypt another file named “crashlog.dat” and executes the final payload in memory, allowing it to establish an outbound connection to an external command and control (C2) server.
Microsoft says these emails lure in electronic signature requests, Teams recordings, and social security, financial, and political themes in an attempt to trick users into clicking on links. The emails are said to have been sent via mass sending tools and custom solutions developed in Python and Node.js. The link can be included directly in the email body or placed within the PDF document.
“To increase credibility, the attacker used various encoding techniques to pass the target’s email address through the state parameter so that it would be automatically populated on the phishing page,” Microsoft said. “The state parameter is randomly generated and is intended to be used to correlate request and response values, but in this case it was reused to convey an encoded email address.”
Some campaigns have been found to leverage this technique to deliver malware, while others send users to pages hosted on phishing frameworks such as EvilProxy, which act as man-in-the-middle (AitM) kits that intercept credentials and session cookies.
Microsoft has since removed several malicious OAuth applications identified as part of the investigation. We recommend that organizations limit user consent, regularly review application permissions, and remove apps with unused or excessive permissions.
Source link
