Microsoft reported that threat actors are abusing legitimate OAuth authentication flows to potentially bypass email defenses and redirect users to malicious sites.In a blog post Monday, the company said government and public-sector organizations were being targeted in the campaigns, with OAuth providers including Microsoft Entra ID and Google being abused via malicious applications.The threat actors create malicious OAuth apps and distribute crafted OAuth URLs via email that may evade email defenses due to the use of legitimate domains such as login.microsoftonline.com and accounts.google.com. Email lures include fake e-sign documents, Social Security notices, Teams meeting recordings, password reset prompts and employee review documents.The URLs contain specific parameters that force a redirection to the malicious app creator’s website by intentionally triggering an “invalid scope” error. This method abuses legitimate OAuth error handling protocols rather than exploiting any vulnerability, Microsoft noted.“OAuth specifications, including RFC 6749, define how authorization errors are handled through redirects, and RFC 9700 documents security lessons learned from years of real-world deployment. RFC 9700 Section 4.11.2 (‘Authorization Server as Open Redirector’) notes that attackers can deliberately trigger OAuth errors,” the blog post stated.
Related reading:
The attackers also include the parameter &prompt=none, which causes the redirect to occur “silently” without the legitimate OAuth user interface ever appearing to the user. After being redirected to the attacker’s website, the user may be faced with a fake login page for phishing, or in some cases, an automatic file download.In one case where victims were redirected to a download path, a ZIP file was installed that contained malicious LNK shortcuts and HTML loaders. When clicked, the LNK files executed a PowerShell command that performed host reconnaissance and extracted three additional files — an EXE, DLL and DAT file — from the loaders.The script then launched the EXE, a legitimate Valve gaming utility called steam_monitor.exe, and used it to sideload the malicious DLL crashhandler.dll. This DLL ultimately decrypted and executed the final payload crashlog.dat, a backdoor that created a connection to a remote command-and-control (C2) server.“To reduce risk, organizations should closely govern OAuth applications by limiting user consent, regularly reviewing application permissions, and removing unused or overprivileged apps,” Microsoft wrote.The blog post also emphasized the importance of robust identity protection, the use of Conditional Access policies and cross-domain extended detection and response (XDR) detections across email, identity and endpoints.Microsoft said the malicious OAuth apps identified in its investigation have been disabled, but warned that similar activity is likely to continue and will require ongoing monitoring.
Identity, Decentralized identity and verifiable credentials, Threat Management, Threat Intelligence, Phishing, Email security
Microsoft flags phishing campaign abusing Entra ID, Google OAuth links
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds