Microsoft Uncovers Sophisticated Phishing Campaigns Abusing OAuth 2.0 Redirects
Microsoft has identified a series of phishing attacks targeting government and public-sector organizations by exploiting OAuth 2.0’s redirection features in Microsoft Entra ID and Google Workspace. Unlike traditional credential theft, these campaigns bypass email filters by weaponizing trusted authentication protocols to deliver malware.
Attack Mechanics
Threat actors register malicious apps in their tenant, configuring redirect URIs to point to phishing or malware-hosting domains. Phishing emails disguised as e-signature requests, Teams invites, or password resets lure victims into clicking links that trigger a silent OAuth flow. By manipulating parameters like prompt=none and scope=invalid, attackers force error redirects without user interaction, masking malicious URLs from scanners.
The state parameter encodes the victim’s email in Base64, hex, or custom schemes, auto-populating phishing pages for realism. Once clicked, victims are redirected to tools like EvilProxy for session hijacking or prompted to download a ZIP file containing a malicious LNK file. This executes PowerShell for host reconnaissance, then sideloads crashhandler.dll via a legitimate steam_monitor.exe process to establish command-and-control (C2) communication.
Detection & Indicators
The attack does not exploit vulnerabilities but abuses OAuth 2.0 protocol behavior as outlined in RFC 6749/9700. Key indicators include:
- URL Parameters:
prompt=none,scope=invalid(triggers silent redirects) - File Artifacts:
steam_monitor.exe,crashhandler.dll,crashlog.dat(DLL sideloading) - Defender Signatures:
Trojan:Win32/Malgent,Trojan:Win32/Znyonm,Trojan:Win32/WinLNK - Error Codes:
65001,error=interaction_required(failed SSO, successful redirect)
Mitigation Strategies
Microsoft recommends OAuth governance over patching, including:
- App Audits: Regularly review overprivileged OAuth applications.
- Access Controls: Enforce Conditional Access and identity protection.
- Telemetry & Hunting: Use XDR for cross-signal correlation, flagging anomalies like PowerShell execution from LNK files or DLL sideloading.
The campaign underscores the growing trend of protocol abuse in phishing, where attackers leverage legitimate features to evade detection.
Source: https://cyberpress.org/microsoft-warns-oauth-in-entra-id/
Microsoft Entra Community cybersecurity rating report: https://www.rankiteo.com/company/microsoft-entra
Google Workspace cybersecurity rating report: https://www.rankiteo.com/company/googleworkspace
"id": "MICGOO1772628247",
"linkid": "microsoft-entra, googleworkspace",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Government/Public Sector',
'name': 'Government and public-sector organizations',
'type': 'Organizations'}],
'attack_vector': 'OAuth 2.0 Redirect Abuse',
'data_breach': {'file_types_exposed': ['LNK', 'DLL', 'ZIP'],
'personally_identifiable_information': 'Email addresses '
'(encoded in `state` '
'parameter)'},
'description': 'Microsoft has identified a series of phishing attacks '
'targeting government and public-sector organizations by '
'exploiting OAuth 2.0’s redirection features in Microsoft '
'Entra ID and Google Workspace. These campaigns bypass email '
'filters by weaponizing trusted authentication protocols to '
'deliver malware. Threat actors register malicious apps in '
'their tenant, configuring redirect URIs to point to phishing '
'or malware-hosting domains. Phishing emails disguised as '
'e-signature requests, Teams invites, or password resets lure '
'victims into clicking links that trigger a silent OAuth flow. '
'The attack manipulates parameters like `prompt=none` and '
'`scope=invalid` to force error redirects without user '
'interaction, masking malicious URLs from scanners. The '
'`state` parameter encodes the victim’s email in Base64, hex, '
'or custom schemes, auto-populating phishing pages for '
'realism. Once clicked, victims are redirected to tools like '
'EvilProxy for session hijacking or prompted to download a ZIP '
'file containing a malicious LNK file, which executes '
'PowerShell for host reconnaissance and sideloads '
'`crashhandler.dll` via a legitimate `steam_monitor.exe` '
'process to establish command-and-control (C2) communication.',
'impact': {'identity_theft_risk': 'High (session hijacking via EvilProxy)',
'systems_affected': ['Microsoft Entra ID', 'Google Workspace']},
'initial_access_broker': {'backdoors_established': 'Malicious OAuth apps, DLL '
'sideloading '
'(crashhandler.dll)',
'entry_point': 'Phishing emails (e-signature '
'requests, Teams invites, password '
'resets)'},
'lessons_learned': 'The campaign underscores the growing trend of protocol '
'abuse in phishing, where attackers leverage legitimate '
'features to evade detection.',
'post_incident_analysis': {'corrective_actions': ['OAuth governance (app '
'audits, access controls)',
'Enforce Conditional Access '
'and identity protection',
'Use XDR for telemetry and '
'hunting'],
'root_causes': 'Abuse of OAuth 2.0 protocol '
'behavior (RFC 6749/9700) to bypass '
'email filters and deliver malware'},
'recommendations': ['Regularly audit overprivileged OAuth applications',
'Enforce Conditional Access and identity protection',
'Use XDR for telemetry and hunting to detect anomalies '
'like PowerShell execution from LNK files or DLL '
'sideloading'],
'references': [{'source': 'Microsoft Security Blog'}],
'response': {'enhanced_monitoring': 'XDR for cross-signal correlation',
'remediation_measures': ['OAuth governance (app audits, access '
'controls)',
'Enforce Conditional Access and '
'identity protection',
'Use XDR for telemetry and hunting']},
'title': 'Sophisticated Phishing Campaigns Abusing OAuth 2.0 Redirects',
'type': 'Phishing',
'vulnerability_exploited': 'OAuth 2.0 protocol behavior (RFC 6749/9700)'}