"OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows. Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages."
"The starting point of the attack is a malicious application created by the threat actor in a tenant under their control. The application is configured with a redirect URL pointing to a rogue domain that hosts malware. The attackers then distribute an OAuth phishing link that instructs the recipients to authenticate to the malicious application by using an intentionally invalid scope."
"The malicious payloads are distributed in the form of ZIP archives, which, when unpacked, result in PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The ZIP file contains a Windows shortcut (LNK) that executes a PowerShell command."
Microsoft identified phishing campaigns targeting government and public-sector organizations that exploit OAuth's legitimate redirect functionality. Attackers create malicious applications with redirect URLs pointing to rogue domains hosting malware. They distribute phishing links prompting users to authenticate using intentionally invalid scopes. When users follow these links, they are redirected to attacker-controlled infrastructure where they unknowingly download malware-containing ZIP archives. These archives execute PowerShell commands, perform DLL side-loading, and enable hands-on-keyboard activity. This identity-based threat leverages OAuth's standard behavior rather than exploiting vulnerabilities or stealing credentials, making it difficult to detect with conventional defenses.
#oauth-phishing-attacks #identity-based-threats #government-sector-targeting #malware-distribution #email-security-bypass
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]