Microsoft has issued a warning regarding sophisticated phishing campaigns that leverage OAuth URL redirection techniques to bypass traditional email and browser security measures.
The primary targets of these attacks are government and public-sector organizations, aiming to redirect victims to malicious landing pages without compromising their tokens. This identity-based threat exploits OAuth’s inherent functionality instead of relying on software vulnerabilities or credential theft.
According to the Microsoft Defender Security Research Team, attackers manipulate URLs with popular identity providers such as Entra ID or Google Workspace, redirecting users to attacker-controlled pages by exploiting OAuth’s redirection feature.
The attackers initiate the attack by creating a malicious application within their own tenant, configuring it to redirect users to a rogue domain hosting malware. Subsequently, they distribute OAuth phishing links instructing recipients to authenticate with the malicious application using an intentionally invalid scope.
As a result, users unknowingly download malware onto their devices, distributed in the form of ZIP archives. Once unpacked, these archives execute PowerShell commands, engage in DLL side-loading, and initiate pre-ransom or hands-on-keyboard activities.
The malware payload includes a Windows shortcut that executes a PowerShell command upon opening, leading to host reconnaissance activities. Additionally, an MSI installer drops a decoy document while sideloading a malicious DLL using a legitimate binary, ultimately establishing an outbound connection to a command-and-control server.
These phishing emails utilize various lures such as e-signature requests, Teams recordings, and sensitive topics like social security and financial information to entice users into clicking the malicious links. Mass-sending tools and custom solutions developed in Python and Node.js are used to distribute these emails, with links embedded in the email body or within PDF attachments.
To enhance credibility, attackers encode the target email address within the state parameter, repurposing it to carry encoded email addresses to automatically populate on the phishing page.
While some campaigns deliver malware through this technique, others redirect users to phishing frameworks like EvilProxy to intercept credentials and session cookies.
Microsoft has taken action by removing malicious OAuth applications identified in the investigation. Organizations are advised to restrict user consent, regularly review application permissions, and eliminate unused or overprivileged apps.
