Microsoft Warns OAuth Redirect Abuse Campaign

Microsoft Warns OAuth Redirect Abuse Campaign

Microsoft Warns OAuth Redirect Abuse in new phishing attacks. Researchers observed campaigns targeting government and public-sector groups. However, these attacks do not exploit software flaws. Instead, they misuse built-in OAuth features.

The researchers described this as an identity-based threat. Therefore, attackers rely on normal OAuth behavior. They do not steal passwords directly. Instead, they trick users through redirection.

How OAuth Redirect Abuse Works

OAuth allows identity providers to redirect users in certain cases. For example, systems may redirect users after login errors. However, attackers manipulate this legitimate feature.

They craft malicious URLs using trusted identity providers. These links appear safe at first glance. Therefore, email filters and browsers may not block them. As a result, victims click without suspicion.

Attackers create a malicious application in their own controlled tenant. They configure the app with a redirect URL. This URL points to a rogue domain hosting malware. Then, they send phishing emails with OAuth links.

The link asks victims to authenticate using an invalid permission scope. Because the scope fails, OAuth triggers a redirect. Therefore, users land on the attacker’s website. They often download malware without realizing it.

Malware Delivery Chain Explained

The malware usually arrives as a ZIP archive. When users extract it, the infection begins. For example, the ZIP file contains a Windows shortcut file. As soon as users open it, it runs a PowerShell command.

The PowerShell script collects system information. Then, it extracts an installer file. The installer drops a decoy document to distract the victim. Meanwhile, it loads a malicious DLL file. The DLL decrypts another hidden file. After that, it executes the final payload in memory. Therefore, the malware connects to an external command server. Attackers can then control the infected device.

Phishing Lures and Social Engineering

Attackers use convincing email themes. For instance, they mention e-signature requests or meeting recordings. They also reference financial or political topics. Therefore, recipients feel urgency and click quickly. The attackers use automated sending tools. Sometimes, they embed links inside PDF files. In other cases, they place the link directly in the message. However, they always aim to appear legitimate.

To increase trust, attackers misuse the OAuth state parameter. Normally, this value links request and response data. Instead, they encode the victim’s email address inside it. Therefore, the phishing page auto-fills the user’s address.

Use of Phishing Frameworks

Some campaigns deliver malware directly. However, others redirect users to phishing frameworks such as EvilProxy. These tools act as adversary-in-the-middle kits. Therefore, they intercept login credentials and session cookies in real time.

Researchers removed several malicious OAuth applications during the investigation. However, attackers may create new ones quickly. Therefore, organizations must stay alert.

How to Prevent OAuth Redirect Abuse

Organizations should restrict user consent for third-party applications. In addition, security teams must review app permissions regularly. They should also remove unused or overprivileged applications. Therefore, attackers have fewer entry points.

Companies can strengthen protection with managed detection and response services. These services monitor identity abuse and suspicious outbound traffic in real time. Furthermore, regular vulnerability assessments help identify risky OAuth configurations. By combining identity monitoring and proactive security testing, organizations can reduce the risk of OAuth redirect abuse.

Sleep well, we got you covered.