Mar 3
/
Latest News
Microsoft Warns of Sophisticated OAuth Phishing Campaigns Targeting Government Organizations
Microsoft issued a warning on Monday regarding an advanced phishing campaign that bypasses traditional email and browser defenses by exploiting legitimate OAuth URL redirection features to target government and public-sector organizations.
The attacks, described as an identity-based threat, do not rely on exploiting software vulnerabilities or directly stealing tokens. Instead, threat actors are abusing native, by-design functionality within popular identity providers like Microsoft Entra ID and Google Workspace. By crafting benign-looking URLs with manipulated parameters, attackers can seamlessly redirect victims to malicious, attacker-controlled infrastructure.
According to the Microsoft Defender Security Research Team, the attack chain begins with a malicious application hosted in an attacker-controlled tenant. The perpetrators distribute phishing links that instruct recipients to authenticate to the application using an intentionally invalid scope. This deliberate error triggers the OAuth standard's built-in redirect feature, automatically routing the user to a rogue domain. While some campaigns use this technique to direct users to adversary-in-the-middle (AitM) phishing kits like EvilProxy to intercept session cookies, others use it to directly deliver malware.
In the malware-focused campaigns, redirected users inadvertently download a malicious ZIP archive. Upon opening the file, a disguised Windows shortcut (LNK) instantly executes a PowerShell command to conduct system reconnaissance. The LNK file then extracts an MSI installer that drops a decoy document to avoid suspicion, while simultaneously sideloading a malicious DLL ("crashhandler.dll") via a legitimate binary ("steam_monitor.exe"). This DLL decrypts a final in-memory payload, establishing an outbound connection to an external command-and-control server that paves the way for hands-on-keyboard attacks or ransomware deployment.
To deceive victims into clicking the initial links, the threat actors employ lures such as urgent e-signature requests, Microsoft Teams recordings, and messages with financial, social security, or political themes. These emails are distributed using custom mass-sending tools developed in Python and Node.js, with the malicious links embedded directly in the message body or hidden within attached PDF documents. In a highly deceptive move, attackers encode the target's email address within the URL's "state" parameter—a feature meant for correlating requests—allowing the fraudulent destination page to automatically populate the victim's email address to increase credibility.
In response to the threat, Microsoft has purged several of the malicious OAuth applications identified during its investigation. To defend against these sophisticated identity-based attacks, security experts advise organizations to proactively limit user consent capabilities, routinely audit application permissions, and immediately remove unused or overprivileged applications from their environments.
The attacks, described as an identity-based threat, do not rely on exploiting software vulnerabilities or directly stealing tokens. Instead, threat actors are abusing native, by-design functionality within popular identity providers like Microsoft Entra ID and Google Workspace. By crafting benign-looking URLs with manipulated parameters, attackers can seamlessly redirect victims to malicious, attacker-controlled infrastructure.
According to the Microsoft Defender Security Research Team, the attack chain begins with a malicious application hosted in an attacker-controlled tenant. The perpetrators distribute phishing links that instruct recipients to authenticate to the application using an intentionally invalid scope. This deliberate error triggers the OAuth standard's built-in redirect feature, automatically routing the user to a rogue domain. While some campaigns use this technique to direct users to adversary-in-the-middle (AitM) phishing kits like EvilProxy to intercept session cookies, others use it to directly deliver malware.
In the malware-focused campaigns, redirected users inadvertently download a malicious ZIP archive. Upon opening the file, a disguised Windows shortcut (LNK) instantly executes a PowerShell command to conduct system reconnaissance. The LNK file then extracts an MSI installer that drops a decoy document to avoid suspicion, while simultaneously sideloading a malicious DLL ("crashhandler.dll") via a legitimate binary ("steam_monitor.exe"). This DLL decrypts a final in-memory payload, establishing an outbound connection to an external command-and-control server that paves the way for hands-on-keyboard attacks or ransomware deployment.
To deceive victims into clicking the initial links, the threat actors employ lures such as urgent e-signature requests, Microsoft Teams recordings, and messages with financial, social security, or political themes. These emails are distributed using custom mass-sending tools developed in Python and Node.js, with the malicious links embedded directly in the message body or hidden within attached PDF documents. In a highly deceptive move, attackers encode the target's email address within the URL's "state" parameter—a feature meant for correlating requests—allowing the fraudulent destination page to automatically populate the victim's email address to increase credibility.
In response to the threat, Microsoft has purged several of the malicious OAuth applications identified during its investigation. To defend against these sophisticated identity-based attacks, security experts advise organizations to proactively limit user consent capabilities, routinely audit application permissions, and immediately remove unused or overprivileged applications from their environments.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.