Researchers Uncover Sophisticated OAuth Phishing Attacks via Entra ID Links
Researchers Uncover Sophisticated OAuth Phishing Scheme Leveraging Entra ID Links
A recent investigation has exposed a complex phishing campaign that exploits legitimate OAuth authentication links to deliver malware to unsuspecting victims.
The Phishing Campaign
The attackers have been found to manipulate Microsoft OAuth authentication links, disguising them as legitimate login requests to trick users into divulging sensitive information.
The phishing campaign, which has been linked to several high-profile identity platforms, including Entra ID and Google Workspace, uses carefully crafted URLs to redirect victims to malicious destinations.
Malware Delivery Process
The attackers have also been found to use phishing frameworks such as EvilProxy, an adversary-in-the-middle toolkit designed to intercept login credentials and session cookies during authentication.
The phishing campaign also involves a multi-stage malware delivery process, which begins with the extraction of a PowerShell script from a ZIP archive.
The script initiates reconnaissance activity on the victim’s system, executing discovery commands to gather information about the host environment.
The script then extracts an MSI installer, which drops a decoy document intended to distract the victim while the infection process continues in the background.
Malicious Payload
A malicious dynamic link library, identified as “crashhandler.dll,” is then sideloaded using a legitimate executable named “steam_monitor.exe.”
The DLL decrypts an additional file called “crashlog.dat,” which contains the final payload.
This payload executes directly in memory, a technique commonly used to evade detection by security software.
Response and Recommendations
In response to the investigation, Microsoft has removed several malicious OAuth applications linked to the campaign and issued guidance to organizations on reducing exposure to similar attacks.
Security teams are advised to limit the ability of users to grant consent to third-party applications and to regularly review application permissions within their identity environments.
Removing unused or excessively privileged applications is also recommended.
“The campaign highlights the importance of monitoring application permissions and authentication activity to detect suspicious behavior before it leads to compromise. As attackers increasingly rely on trusted platforms and familiar workflows, organizations must be vigilant in their efforts to prevent similar attacks.”