Back
Technology

Microsoft warns of new OAuth URL redirection phishing technique targeting organizations

Generated on: Last updated: 1 sources
View source

Microsoft Warns of Sophisticated OAuth Phishing Campaigns Targeting Government Sector

Microsoft has issued a warning regarding phishing campaigns that utilize OAuth URL redirection mechanisms to circumvent standard phishing defenses. These campaigns primarily target government and public-sector organizations.

The Attack Mechanism

The objective of these attacks is to redirect victims to attacker-controlled infrastructure without directly compromising their tokens. Microsoft described this as an identity-based threat that leverages the standard behavior of OAuth rather than exploiting software vulnerabilities or stealing credentials.

Attackers exploit an OAuth feature that allows identity providers to redirect users under certain conditions. They craft URLs using popular identity providers, such as Entra ID or Google Workspace, with manipulated parameters or associated malicious applications to direct users to attacker-controlled landing pages. This method creates URLs that appear legitimate but lead to malicious destinations.

Inside the Attack Flow

The attack begins with a malicious application created by a threat actor within their controlled tenant. This application is configured with a redirect URL that points to a rogue domain hosting malware. Threat actors then distribute an OAuth phishing link instructing recipients to authenticate to the malicious application using an intentionally invalid scope.

This redirection results in users inadvertently downloading malware onto their devices. The malicious payloads are distributed within ZIP archives. When unpacked, these archives initiate PowerShell execution, DLL side-loading, and prepare for further malicious activity, including potential ransomware deployment.

Specifically, the ZIP file contains a Windows shortcut (LNK) that executes a PowerShell command upon opening. This PowerShell payload performs host reconnaissance. The LNK file extracts an MSI installer from the archive, which then drops a decoy document to mislead the victim. Concurrently, a malicious DLL named "crashhandler.dll" is sideloaded using the legitimate "steam_monitor.exe" binary. The DLL then decrypts and executes another file, "crashlog.dat," in memory, establishing an outbound connection to a command-and-control (C2) server.

Lures and Distribution Tactics

Phishing emails employ various lures, including e-signature requests, Teams recordings, and themes related to social security, finance, and politics, to induce users to click the malicious links. These emails have been sent using mass-sending tools and custom solutions developed in Python and Node.js. The links are embedded directly in the email body or within PDF documents.

To enhance credibility, actors pass the target email address through the state parameter using encoding techniques, allowing it to be automatically pre-populated on the phishing page. While the state parameter is intended for correlation of request and response values, it is repurposed in these campaigns to carry encoded email addresses.

Broader Implications and Mitigation

While some campaigns deliver malware, others direct users to pages hosted on phishing frameworks like EvilProxy, which function as adversary-in-the-middle (AitM) kits to intercept credentials and session cookies.

Microsoft has removed several malicious OAuth applications identified during its investigation. The company advises organizations to implement measures such as limiting user consent for applications, regularly reviewing application permissions, and removing unused or overprivileged applications.