OAuth Redirect Abuse Delivers Malware to Gov't Targets

Executive Summary

A new phishing vector has been identified targeting government and public-sector organizations. Adversaries are abusing a legitimate, by-design feature of OAuth to redirect users to malicious infrastructure, resulting in malware deployment. These identity-based attacks leverage popular identity providers, including Entra ID and Google Workspace, to create seemingly benign URLs that bypass standard security filters. The end goal is to achieve device infection for pre-ransomware or hands-on-keyboard activity, or to facilitate Adversary-in-the-Middle (AitM) attacks.

Key Findings

Attack Vector: OAuth Redirection Abuse

This threat does not exploit a software vulnerability but rather manipulates a standard OAuth function. The adversary creates a malicious OAuth application within a tenant under their control, configuring it with a redirect URL pointing to a malware-hosting domain. A phishing link is then crafted with an intentionally invalid scope parameter. When a user authenticates, the identity provider's standard error-handling or defined flow behavior redirects the user to the attacker's pre-configured malicious landing page, initiating malware download.

Infiltration and Payload Delivery

The attack chain begins with a phishing email containing a malicious link, either directly in the body or embedded within a PDF. Social engineering lures include e-signature requests, Teams recordings, and financial or political themes. To enhance credibility, attackers encode the target's email address into the state parameter of the OAuth URL, which is then used to auto-populate the email on the phishing page.

The payload delivery sequence is as follows:

Victim is redirected and downloads a ZIP archive.

The archive contains a Windows shortcut (LNK) file, which upon execution runs a PowerShell command for host reconnaissance.

The LNK file extracts an MSI installer from the archive.

The MSI drops a decoy document to deceive the user while initiating DLL side-loading. A malicious DLL, crashhandler.dll, is loaded by the legitimate steam_monitor.exe binary.

The malicious DLL decrypts a secondary file, crashlog.dat, and executes the final payload in-memory.

The payload establishes an outbound connection to an external command-and-control (C2) server.

Observed Impact

The primary impact is malware delivery leading to potential pre-ransom and hands-on-keyboard activity. In some observed campaigns, this technique was also used to redirect victims to phishing frameworks like EvilProxy. This enables Adversary-in-the-Middle (AitM) attacks designed to intercept user credentials and session cookies in real-time.

Mitigation & Recommendations

Microsoft has taken action by removing several malicious OAuth applications identified in this campaign. However, organizations must remain vigilant and implement proactive defenses.

Tactical Mitigation

• Limit User Consent: Restrict the ability of users to consent to new or unverified third-party applications accessing their identity data.
• Review Application Permissions: Conduct periodic audits of all integrated OAuth applications. Scrutinize permissions and remove any applications that are unused, overprivileged, or suspicious.
• Enhance Email Security: Deploy advanced email filtering capable of detecting sophisticated phishing lures and analyzing URL destinations beyond the initial link.

Strategic Recommendations

• User Training: Educate users on the risks of OAuth consent grants and how to identify suspicious application permission requests, even from trusted identity providers.
• Monitor Application Activity: Implement monitoring and alerting for the creation of new OAuth applications and unusual consent grant patterns within your environment.