Microsoft warns of OAuth-based phishing campaigns that abuse legitimate redirect features to funnel victims to attacker-controlled landing pages without stealing tokens. The attacks target government and public-sector organizations and deliver malware via ZIP archives that trigger PowerShell execution, DLL sideloading, and in-memory payloads, and some campaigns use AitM frameworks to harvest credentials. #EntraID #EvilProxy
Keypoints
- Attackers abuse OAuthβs native redirect functionality to craft benign-looking URLs that redirect users to malicious landing pages.
- Campaigns target government and public-sector organizations using lures like e-signature requests, Teams recordings, and political or financial themes.
- Threat actors create malicious applications with redirect URIs pointing to rogue domains and distribute OAuth phishing links that request intentionally invalid scopes.
- Malware delivery uses ZIP files containing LNKs that execute PowerShell, extract an MSI, sideload a malicious DLL via steam_monitor.exe (crashhandler.dll), decrypt crashlog.dat, and run a final in-memory payload that connects to C2.
- Some attacks leverage EvilProxy AitM frameworks to intercept credentials and session cookies; organizations should limit user consent and remove unused or overprivileged applications.
Read More: https://thehackernews.com/2026/03/microsoft-warns-oauth-redirect-abuse.html