In a technical analysis by Microsoft, the company warned on Monday that phishing campaigns abuse OAuth redirect mechanisms to deliver malware to government and public sector organizations by redirecting victims to attacker controlled infrastructure without stealing tokens.
KEY FACTS
- Incident OAuth redirect abuse used to deliver malware
- Targets Government and public sector organizations
- Delivery Phishing emails with OAuth links and ZIP payloads
- Payload LNK triggered PowerShell, MSI extraction, and DLL side loading
- Mitigation Limit user consent and remove unused or overprivileged apps
The attack begins with a malicious application created in a tenant controlled by the actor. The application is configured with a redirect URL that points to a rogue domain hosting a ZIP archive containing the malicious payload.
The ZIP contains a Windows shortcut that runs a PowerShell command when opened. That PowerShell executes discovery commands, extracts an MSI installer from the archive, drops a decoy document, and sideloads a malicious DLL via a legitimate binary. The DLL decrypts a data file and runs the final payload in memory, which establishes an outbound connection to a command and control server.
Phishing lures include e signature requests, Teams recordings, social security, financial, and political themes. Links appear directly in email bodies or are embedded in PDF attachments. Actors also encoded target addresses into the OAuth state parameter so the target email auto populates on the landing page.
Some campaigns deliver credentials and session cookies via phishing frameworks such as EvilProxy while others deliver malware. The disclosure recommends limiting user consent, periodically reviewing application permissions, and removing unused or overprivileged applications as mitigations.
WHY IT MATTERS
Abuse of OAuth redirect behavior lets attackers craft benign appearing URLs that bypass some email and browser defenses and result in direct malware execution on targeted devices. Organizations that manage cloud identities should review application consent practices and permissions to reduce exposure.