Ethical Hacking News
Microsoft has issued a warning about phishing campaigns that use OAuth redirect mechanisms to bypass conventional phishing defenses and deliver malware to government targets. The attackers are using manipulated parameters and associated malicious applications to redirect users to attacker-controlled landing pages, resulting in the download of malware on infected devices.
Microsoft has warned about a new threat vector that uses phishing campaigns to deliver malware to government targets. The attackers employ OAuth redirect mechanisms, bypassing conventional phishing defenses. The attacks take advantage of OAuth's native functionality, not exploiting software vulnerabilities or stealing credentials. Users are tricked into downloading and infecting their own devices with malware by clicking on malicious links. The malware payloads include ZIP archives that unpack to execute PowerShell commands, DLL side-loading, and other malicious activities. Organizations are advised to limit user consent, review application permissions, and remove unused apps to protect against this attack.
Microsoft has issued a warning regarding a new threat vector that is being used to deliver malware to government targets through phishing campaigns. The attacks, which are employing OAuth redirect mechanisms, have been found to bypass conventional phishing defenses implemented in email and browsers.
The Microsoft Defender Security Research Team stated that the phishing attacks take advantage of OAuth's standard behavior, rather than exploiting software vulnerabilities or stealing credentials. According to the team, attackers can abuse the native functionality of OAuth by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages.
The starting point of the attack is a malicious application created by the threat actor in a tenant under their control. The application is configured with a redirect URL pointing to a rogue domain that hosts malware. The attackers then distribute an OAuth phishing link that instructs the recipients to authenticate to the malicious application by using an intentionally invalid scope.
The result of this redirection is that users inadvertently download and infect their own devices with malware. The malicious payloads are distributed in the form of ZIP archives, which, when unpacked, result in PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity.
The ZIP file contains a Windows shortcut (LNK) that executes a PowerShell command as soon as it's opened. The PowerShell payload is used to conduct host reconnaissance by running discovery commands. The LNK file extracts from the ZIP archive an MSI installer, which then drops a decoy document to mislead the victim, while a malicious DLL ("crashhandler.dll") is sideloaded using the legitimate "steam_monitor.exe" binary.
The DLL proceeds to decrypt another file named "crashlog.dat" and executes the final payload in memory, allowing it to establish an outbound connection to an external command-and-control (C2) server. Microsoft stated that the emails use e-signature requests, Teams recordings, social security, financial, and political themes as lures to trick users into clicking the link.
The links are either directly included in the email body or placed within a PDF document. To increase credibility, actors passed the target email address through the state parameter using various encoding techniques, allowing it to be automatically populated on the phishing page. The state parameter is intended to be randomly generated and used to correlate request and response values, but in these cases, it was repurposed to carry encoded email addresses.
While some of the campaigns have been found to leverage the technique to deliver malware, others send users to pages hosted on phishing frameworks such as EvilProxy, which act as an adversary-in-the-middle (AitM) kit to intercept credentials and session cookies. Microsoft has since removed several malicious OAuth applications that were identified as part of the investigation.
Organizations are advised to limit user consent, periodically review application permissions, and remove unused or overprivileged apps. The attack highlights the importance of being vigilant in the face of evolving threat vectors and the need for robust security measures to protect against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Malware-via-OAuth-Redirect-A-New-Threat-Vector-Targeting-Government-Targets-ehn.shtml
https://thehackernews.com/2026/03/microsoft-warns-oauth-redirect-abuse.html
https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/
Published: Tue Mar 3 05:56:38 2026 by llama3.2 3B Q4_K_M
