Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets - The Hacker News

Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets Ravie LakshmananMar 03, 2026Phishing / Malware Microsoft on Monday warned of phishing campaigns that employ phishing emails and OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers. The activity, the company said, targets government and public-sector organizations with the end goal of redirecting victims to attacker-controlled infrastructure without stealing their tokens. It described the phishing attacks as an identity-based threat that takes advantage of OAuth's standard, by-design behavior rather than exploiting software vulnerabilities or stealing credentials. "OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows," the Microsoft Defender Security Research Team said. "Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages. This technique enables the creation of URLs that appear benign but ultimately lead to malicious destinations." The starting point of the attack is a malicious application created by the threat actor in a tenant under their control. The application is configured with a redirect URL pointing to a rogue domain that hosts malware. The attackers then distribute an OAuth phishing link that instructs the recipients to authenticate to the malicious application by using an intentionally invalid scope. The result of this redirection is that users inadvertently download and infect their own devices with malware. The malicious payloads are distributed in the form of ZIP archives, which, when unpacked, result in PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity, Microsoft said. The ZIP file contains a Windows shortcut (LNK) that executes a PowerShell command as soon as it's opened. The PowerShell payload is used to conduct host reconnaissance by running discovery commands. The LNK file extracts from the ZIP archive an MSI installer, which then drops a decoy document to mislead the victim, while a malicious DLL ("crashhandler.dll") is sideloaded using the legitimate "steam_monitor.exe" binary. The DLL proceeds to decrypt another file named "crashlog.dat" and executes the final payload in memory, allowing it to establish an outbound connection to an external command-and-control (C2) server. Microsoft said the emails use e-signature requests, Teams recordings, social security, financial, and political themes as lures to trick users into clicking the link. The emails are said to have been sent via mass-sending tools and custom solutions developed in Python and Node.js. The links are either directly included in the email body or placed within a PDF document. "To increase credibility, actors passed the target email address through the state parameter using various encoding techniques, allowing it to be automatically populated on the phishing page," Microsoft said. "The state parameter is intended to be randomly generated and used to correlate request and response values, but in these cases it was repurposed to carry encoded email addresses." While some of the campaigns have been found to leverage the technique to deliver malware, others send users to pages hosted on phishing frameworks such as EvilProxy, which act as an adversary-in-the-middle (AitM) kit to intercept credentials and session cookies. Microsoft has since removed several malicious OAuth applications that were identified as part of the investigation. Organizations are advised to limit user consent, periodically review application permissions, and remove unused or overprivileged apps. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Command and Control, cybersecurity, Entra ID, Google Workspace, Malware, Microsoft, OAuth, Phishing, powershell, ransomware Trending News Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths