Microsoft Warns of OAuth Redirect Abuse Used to Deliver Malware to Government Targets

Post Views: 5

Malicious OAuth Redirects Target Government Agencies with Malware

A recent phishing campaign has been identified by Microsoft, leveraging OAuth URL redirection to bypass traditional phishing defenses and deliver malware to government and public-sector organizations. The attack, which exploits a legitimate OAuth feature, allows threat actors to redirect victims to attacker-controlled infrastructure without stealing their tokens.

Campaign Overview

The campaign begins with a malicious application created by the threat actor in a tenant under their control. The application is configured with a redirect URL pointing to a rogue domain hosting malware. The attackers then distribute an OAuth phishing link, instructing recipients to authenticate to the malicious application using an intentionally invalid scope. This results in users inadvertently redirecting to the attacker-controlled landing page.

Malicious Payload Delivery

The malicious payload is delivered via a ZIP file containing a Windows shortcut (LNK) that executes a PowerShell command when opened. The PowerShell payload conducts host reconnaissance by running discovery commands, extracting an MSI installer from the ZIP archive, which drops a decoy document to mislead the victim. A malicious DLL (“crashhandler.dll”) is sideloaded using the legitimate “steam_monitor.exe” binary, decrypting another file named “crashlog.dat” and executing the final payload in memory. This establishes an outbound connection to an external command-and-control (C2) server.

Phishing Email Tactics

The phishing emails use various themes, including e-signature requests, Teams recordings, social security, financial, and political topics, to trick users into clicking the link. The emails are sent via mass-sending tools and custom solutions developed in Python and Node.js, with links either directly included in the body or placed within a PDF document. To increase credibility, actors use encoding techniques to pass the target address through the state parameter, allowing it to be automatically populated on the phishing page.

EvilProxy and AitM Kits

Some campaigns have been found to deliver malware, while others redirect users to pages hosted on phishing frameworks such as EvilProxy, which act as an adversary-in-the-middle (AitM) kit to intercept credentials and session cookies. Microsoft has removed several malicious OAuth applications identified during the investigation.

Mitigation and Recommendations

To mitigate these threats, organizations are advised to limit user consent, periodically review application permissions, and remove unused or overprivileged apps. By taking these precautions, government agencies and public-sector organizations can reduce their risk of falling victim to these malicious OAuth redirect attacks.