In a technical analysis on the Microsoft security blog, the company warned on Monday that threat actors are using OAuth redirect mechanisms to bypass email and browser phishing defenses and deliver malware to government and public sector targets.
KEY FACTS
- Incident OAuth redirect abuse used to lead victims to attacker controlled infrastructure
- Targets Government and public sector organizations
- Delivery ZIP files with LNK that trigger PowerShell, MSI extraction, and DLL sideloading
- Lures E signature, Teams recordings, social security, financial and political themes
The attack flow begins with a malicious application created in an attacker controlled tenant. The application is registered with a redirect URL that points to a rogue domain that hosts the payload.
Recipients receive OAuth phishing links that prompt authentication using an intentionally invalid scope. The crafted URLs appear benign but redirect users to attacker controlled landing pages that deliver a ZIP archive.
The ZIP contains a Windows shortcut that runs a PowerShell command on open. The PowerShell performs host discovery, extracts an MSI installer and drops a decoy document while a malicious DLL named crashhandler.dll is sideloaded by a legitimate steam_monitor.exe binary.
The DLL decrypts a crashlog.dat file and executes the final payload in memory which then establishes an outbound connection to an external command and control server. Some campaigns instead route users to adversary in the middle phishing frameworks such as EvilProxy to capture credentials and session cookies. Several malicious OAuth applications were removed as part of the investigation. Organizations are advised to limit user consent, review application permissions and remove unused or overprivileged apps.
WHY IT MATTERS
The technique leverages legitimate OAuth behavior to make malicious links appear benign. That increases the risk of malware infection and credential theft for targeted organizations and complicates detection for standard email and browser defenses.