Microsoft warns of OAuth phishing campaigns able to bypass email and browser defenses - says 'these campaigns demonstrate that this abuse is operational, not theoretical'

News
By published

An OAuth feature is being abused in the wild

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • Microsoft warns hackers are abusing OAuth redirect feature to deliver malware
  • Phishing emails themed around Teams recordings or 365 resets redirect victims to attacker-controlled sites
  • Payloads dropped via ZIP archives with LNK shortcuts and HTML smuggling; final stage connects to external C2

Hackers are abusing a redirect feature in OAuth to infect people’s computers with malware and steal their login credentials, Microsoft is warning.

OAuth (short for Open Authorization) is a system which lets users log into websites using their account from another service, without giving that website their password. Whenever a “Log In With Google” popup is shown, it is most likely OAuth.

This system has a redirect feature which identity providers can use to send visitors to a different landing page, usually if the process triggers an error - but Microsoft says this feature is being abused.

Downloading the payload

In recently spotted attacks, the crooks would send phishing emails to government and public sector organizations, usually themed around Teams meeting recordings, or Microsoft 365 password reset requests. These emails would contain a link with carefully crafted parameters which, if clicked, would bring up OAuth and trigger an error.

Because of the error, the users would then be redirected to an attacker-owned phishing-as-a-service website, where malicious payloads are hosted.

"By hosting the payload on an application redirect URI under their control, attackers can quickly rotate or change redirected domains when security filters block them," Microsoft explained in a blog post.

In one observed attack, the victims were redirected to a /download/XXXX path that downloaded a ZIP file. That archive contained LNK shortcuts and HTML smuggling loaders, and when victims opened the shortcut files, they triggered a PowerShell command. In turn, that command ran discover commands and launched a legitimate executable which, with the help of a side-loaded malicious DLL, executed the final payload.

The result was an outbound connection to an external C2 endpoint.

It is worth stressing that the victims did not lose their login credentials on the OAuth page - it was just used as a redirect feature to get a payload dropped. Right now, we don’t know how widespread the campaign is, or how many government organizations were affected.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.