Microsoft: Hackers abuse OAuth error flows to spread malware
Source: Bleeping Computer
Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers, taking users to malicious pages. The attacks target government and public‑sector organizations with phishing links that prompt users to authenticate to a malicious application, according to Microsoft Defender researchers. The lures appear as e‑signature requests, Social Security notices, meeting invitations, password resets, or various financial and political topics that contain OAuth redirect URLs. Sometimes the URLs are embedded in PDF files to evade detection.
Microsoft 365 account warning lure
Source: Microsoft
Forcing risky redirections
OAuth applications are registered with an identity provider (e.g., Microsoft Entra ID) and leverage the OAuth 2.0 protocol to obtain delegated or application‑level access to user data and resources.
In the campaigns observed by Microsoft, attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure.
The researchers explain that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication (no interactive login) and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the attacker‑controlled redirect URI.
In some cases, victims are redirected to phishing pages powered by attacker‑in‑the‑middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi‑factor authentication (MFA) protections. Microsoft found that the state parameter was misused to auto‑fill the victim’s email address in the credentials box on the phishing page, increasing perceived legitimacy.
OAuth redirect attack overview
Source: Microsoft
In other instances, victims are redirected to a /download path that automatically delivers a ZIP file containing malicious shortcut (.LNK) files and HTML‑smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts components required for the next step, DLL side‑loading.
A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim.
The malware attack chain
Source: Microsoft
Mitigation recommendations
Microsoft suggests that organizations:
- Tighten permissions for OAuth applications.
- Enforce strong identity protections and Conditional Access policies.
- Deploy cross‑domain detection across email, identity, and endpoints.
The observed attacks are identity‑based threats that abuse intended OAuth behavior for handling authorization errors via redirects. Threat actors trigger OAuth errors through invalid parameters, such as scope or prompt=none, to force silent error redirects as part of real‑world attacks.