Microsoft Alerts on OAuth Redirect Exploitation Targeting Government Entities
Microsoft has recently identified a sophisticated phishing campaign that exploits OAuth URL redirection to infiltrate government and public-sector organizations. This method allows attackers to circumvent traditional phishing defenses by redirecting users to malicious sites without the need to steal authentication tokens.
Understanding OAuth and Its Exploitation
OAuth is a widely used authorization framework that enables third-party applications to access user data without exposing credentials. A legitimate feature of OAuth allows identity providers to redirect users to specific landing pages under certain conditions, such as error scenarios. However, attackers have found a way to misuse this functionality. By crafting URLs with manipulated parameters, they can redirect users from trusted identity providers like Entra ID or Google Workspace to malicious destinations. This technique creates URLs that appear benign but ultimately lead to harmful sites.
The Attack Mechanism
The attack begins with the creation of a malicious application by the threat actor within a controlled tenant. This application is configured to redirect to a rogue domain hosting malware. Victims receive phishing emails containing OAuth links that prompt them to authenticate to the malicious application using an intentionally invalid scope. This process results in users inadvertently downloading malware onto their devices.
Malware Delivery and Execution
The malware is typically delivered in ZIP archives. Upon extraction, these archives contain a Windows shortcut (LNK) that executes a PowerShell command, initiating host reconnaissance. The LNK file also extracts an MSI installer, which drops a decoy document to mislead the victim. Simultaneously, a malicious DLL named crashhandler.dll is sideloaded using the legitimate steam_monitor.exe binary. This DLL decrypts another file, crashlog.dat, and executes the final payload in memory, establishing a connection to an external command-and-control server.
Phishing Tactics and Themes
The phishing emails employ various lures, including e-signature requests, Teams recordings, and themes related to social security, finance, and politics. These emails are distributed using mass-sending tools and custom solutions developed in Python and Node.js. Links are embedded directly in the email body or within PDF documents. To enhance credibility, attackers encode the target’s email address within the state parameter, which is automatically populated on the phishing page. This parameter, intended to correlate request and response values, is repurposed to carry encoded email addresses.
Broader Implications and Recommendations
Beyond malware delivery, some campaigns utilize this technique to direct users to phishing frameworks like EvilProxy, which intercept credentials and session cookies. Microsoft has responded by removing several malicious OAuth applications identified during the investigation. Organizations are advised to limit user consent, regularly review application permissions, and eliminate unused or overprivileged apps.
Historical Context and Ongoing Threats
This incident is part of a broader trend of OAuth exploitation. In August 2025, attackers used fake OAuth applications with the Tycoon kit to breach Microsoft 365 accounts. In June 2025, the nOAuth vulnerability affected 9% of Microsoft Entra SaaS apps two years after its discovery. In April 2025, Russian hackers exploited Microsoft OAuth to target Ukraine allies via Signal and WhatsApp. In February 2023, hackers abused Microsoft’s Verified Publisher OAuth apps to breach corporate email accounts. In December 2023, Microsoft warned of Storm-0539, a rising threat behind holiday gift card frauds. In September 2025, Microsoft patched a critical Entra ID flaw enabling global admin impersonation across tenants. In June 2023, a critical ‘nOAuth’ flaw in Microsoft Azure AD enabled complete account takeover. In January 2026, Microsoft warned that misconfigured email routing can enable internal domain phishing. In January 2024, Microsoft warned of widening APT29 espionage attacks targeting global organizations.
Conclusion
The exploitation of OAuth redirection underscores the evolving tactics of cyber adversaries. Organizations must remain vigilant, regularly update security protocols, and educate users about emerging threats to mitigate risks associated with such sophisticated phishing campaigns.
