MICROSOFT on Monday warned of phishing campaigns that use OAuth URL redirection to bypass standard email and browser defences and deliver malware to government targets. According to Microsoft Defender Security Research Team, the attacks are identity-based and exploit OAuth’s by-design behaviour to redirect victims to attacker-controlled infrastructure without stealing tokens.
Attackers can craft URLs that use popular identity providers such as Entra ID or Google Workspace, pointing to rogue landing pages via manipulated parameters and malicious applications. The sequence starts with a malicious application in a tenant, with a redirect URL to a rogue domain hosting malware; recipients are lured to authenticate to the app using an intentionally invalid scope.
The ZIP packaged payloads include a Windows shortcut that runs a PowerShell command, followed by an MSI installer that drops a decoy document and sideloads crashhandler[.]dll via steam_monitor.exe to reach a C2. Microsoft has since removed several malicious OAuth applications and urged organisations to limit user consent, review permissions, and remove unused or overprivileged apps.