Full Report
Microsoft on Monday warned of phishing campaigns that employ phishing emails and OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers. The activity, the company said, targets government and public-sector organizations with the end goal of redirecting victims to attacker-controlled infrastructure without stealing their tokens. It described
Analysis Summary
# Tool/Technique: OAuth URL Redirection Abuse
## Overview
This technique involves the exploitation of legitimate OAuth identity provider (IdP) features to redirect victims to malicious infrastructure. By crafting specifically manipulated URLs—often utilizing "invalid scope" errors or malicious applications—attackers trick users into visiting rogue domains. Unlike traditional OAuth attacks that focus on token theft, this specific campaign uses the redirection mechanism as a delivery vector for malware, bypassing email filters that trust legitimate identity provider domains like Microsoft Entra ID or Google Workspace.
## Technical Details
- **Type:** Technique (Abuse of legitimate OAuth flows) / Malware Delivery Loop
- **Platform:** Windows (End-user devices), Cloud Identity Providers (Entra ID, Google Workspace)
- **Capabilities:** URL obfuscation, evasion of email security gateways, host reconnaissance, and automated malware deployment.
- **First Seen:** Publicly reported March 2026 (Campaign active 2024-2026).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijacking Execution Flow: DLL Side-Loading]
- [T1027 - Obfuscated Files or Information]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
## Functionality
### Core Capabilities
- **Legitimate Domain Leveraging:** Uses trusted `login.microsoftonline.com` or `accounts.google.com` links to hide the ultimate malicious destination.
- **OAuth Error Manipulation:** Triggers redirect behaviors by requesting "intentionally invalid scopes," forcing the IdP to send the user to a pre-configured (attacker-controlled) redirect URI.
- **Credential Pre-population:** repurposes the OAuth `state` parameter to carry encoded recipient email addresses, making the phishing landing page appear more personalized and credible.
### Advanced Features
- **In-Memory Execution:** The final payload is decrypted from a `.dat` file and executed directly in memory to avoid disk-based detection.
- **Multi-Stage Infection:** Employs a chain starting from a ZIP file → LNK → PowerShell → MSI → DLL Side-loading.
- **AitM Integration:** Capability to hand off the session to Adversary-in-the-Middle (AitM) frameworks like **EvilProxy**.
## Indicators of Compromise
- **File Names:**
- `steam_monitor.exe` (Legitimate binary used for side-loading)
- `crashhandler.dll` (Malicious DLL)
- `crashlog.dat` (Encrypted payload)
- **Network Indicators:**
- `login.microsoftonline[.]com/common/oauth2/v2.0/authorize` (Abused legitimate endpoint)
- [Attacker-controlled redirect domains - *Specific domains not listed in the summary text, but typically hosted on rogue VPS or compromised sites*]
- **Behavioral Indicators:**
- PowerShell executing reconnaissance commands immediately following an LNK file opening.
- MSI installers dropping decoy documents (PDFs/DOCX) while simultaneously launching system binaries for side-loading.
## Associated Threat Actors
- Unknown (Targeting government and public-sector organizations).
- Users of the **EvilProxy** AitM framework.
## Detection Methods
- **Behavioral detection:** Monitor for `steam_monitor.exe` (or other non-standard binaries) loading unsigned or unexpected DLLs from the `AppData` or `Downloads` directories.
- **Network telemetry:** Log and inspect OAuth authorization requests with unusually long `state` parameters or those containing base64-encoded strings that match user emails.
- **Security Logs:** Audit "Consent to application" events in Entra ID/Google Workspace, specifically focusing on newly registered applications from external tenants.
## Mitigation Strategies
- **User Consent Settings:** Restrict the ability of non-admin users to grant consent to unverified applications.
- **Conditional Access:** Implement policies that require compliant or managed devices to access corporate resources, even during the OAuth flow.
- **Application Review:** Periodically audit enterprise applications and remove those with low usage or excessive permissions.
- **Advanced Phishing Protection:** Use email security solutions capable of "time-of-click" URL sandboxing that follows redirects through identity providers.
## Related Tools/Techniques
- **EvilProxy:** An AitM phishing framework often used in conjunction with these redirections.
- **Illicit Consent Grant:** A related technique where the goal is persistent access to mailbox data rather than malware delivery.
- **DLL Side-loading:** The primary execution method once the payload is delivered.