Ethical Hacking News
Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers, ultimately spreading malware among government and public-sector organizations. Microsoft researchers have warned that these attacks use parameters such as scope or prompt=none to force silent error redirects, exploiting a vulnerability in the OAuth framework.
Hackers exploited legitimate OAuth redirection mechanism to bypass phishing protections. Created malicious OAuth applications to force users to authenticate through phishing links. Attacked were able to intercept valid session cookies and bypass MFA protections. Victims were redirected to phishing pages or downloadable ZIP files with malicious shortcut (.LNK) files and HTML smuggling tools. The attackers triggered OAuth errors through invalid parameters to force silent error redirects. Microsoft suggests tightening OAuth permissions, enforcing strong identity protections, and using cross-domain detection to mitigate the issue.
In a recent attack, hackers have successfully abused the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers, ultimately spreading malware among government and public-sector organizations. According to Microsoft Defender researchers, the attacks were carried out by creating malicious OAuth applications in a tenant they controlled, which forced users to authenticate to these malicious applications through phishing links that contained OAuth redirect URLs.
The attackers configured these malicious applications with a redirect URI pointing to their infrastructure, allowing them to intercept valid session cookies and bypass multi-factor authentication (MFA) protections. In some cases, the victims were redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which auto-filled the victim's email address in the credentials box on the phishing page using the 'state' parameter.
In other instances, the victims were redirected to a '/download' path that automatically delivered a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launched PowerShell, which performed reconnaissance on the compromised host and extracted the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) then decrypted and loaded the final payload (crashlog.dat) into memory.
Meanwhile, a legitimate executable (stream_monitor.exe) loaded a decoy to distract the victim, while the attackers continued to execute their malware attack chain. The researchers warn that threat actors are now triggering OAuth errors through invalid parameters such as scope or prompt=none to force silent error redirects as part of real-world attacks.
To mitigate this issue, Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints. By taking these steps, organizations can protect themselves from the exploitation of legitimate OAuth redirection mechanisms by hackers.
In recent months, the threat landscape has seen various attacks exploiting vulnerabilities in authentication mechanisms. In a related development, APT37 hackers were found to be using new malware to breach air-gapped networks, while LexisNexis confirmed that data breach had occurred as hackers leaked stolen files.
These incidents highlight the ongoing struggle between attackers and defenders in the realm of cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-OAuth-Redirect-Mechanism-to-Spread-Malware-ehn.shtml
Published: Tue Mar 3 15:30:21 2026 by llama3.2 3B Q4_K_M
