Microsoft Reports OAuth Redirect Abuse Used to Deliver Malware to Government Targets
Microsoft reported phishing campaigns targeting government and public-sector organizations that abuse legitimate OAuth redirect behavior in identity providers (including Microsoft Entra ID and Google Workspace) to send victims from seemingly benign authorization URLs to attacker-controlled infrastructure. The technique does not rely on exploiting a software vulnerability or stealing OAuth tokens; instead, attackers register a malicious OAuth application in a tenant they control, then send victims an OAuth link that triggers an error flow (e.g., via an intentionally invalid scope) to force a redirect to a rogue domain hosting malware. Microsoft said the delivered payloads have included ZIP archives that lead to execution chains involving LNK-based execution, PowerShell, and DLL side-loading, consistent with follow-on hands-on-keyboard or pre-ransomware activity.
Microsoft stated it disabled the identified malicious OAuth applications in Entra ID, but warned that related OAuth abuse activity persists and requires continued monitoring. Reported lures used in the phishing emails included e-signature requests, access to Teams meeting recordings, Microsoft 365 password reset instructions, and political themes; Microsoft also observed indicators consistent with the use of free mass-mailing tools and custom tooling (including Python and Node.js) to distribute the campaigns and deliver malware capable of endpoint takeover.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes warning and mitigation guidance on OAuth abuse
Microsoft Defender researchers publicly warned about the campaigns and said the activity abuses standards-compliant OAuth redirect behavior rather than a software vulnerability. Microsoft recommended tighter OAuth app governance, restricting user consent, reviewing and removing risky app permissions, and improving cross-domain detection across email, identity, and endpoints.
Microsoft disables malicious OAuth applications during investigation
During its investigation, Microsoft identified and removed or disabled several malicious OAuth applications used in the campaigns within Microsoft Entra ID. The company noted that related OAuth abuse activity was still continuing and required ongoing monitoring.
Attackers use redirected victims for credential theft and malware delivery
Microsoft documented that redirected victims were sent either to adversary-in-the-middle phishing infrastructure such as EvilProxy to steal credentials and session cookies, or to malware-delivery chains. One observed infection path delivered ZIP files with LNK and HTML smuggling components, followed by PowerShell reconnaissance, DLL sideloading via steam_monitor.exe, and an in-memory payload communicating with command-and-control infrastructure.
Phishing campaigns abuse OAuth redirects against public-sector targets
Threat actors launched ongoing phishing campaigns primarily targeting government and public-sector organizations by abusing legitimate OAuth redirection and error-handling behavior in providers such as Microsoft Entra ID and Google Workspace. The attacks used crafted authorization URLs, including invalid scopes and prompt=none, to redirect victims from trusted identity-provider domains to attacker-controlled infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Microsoft flags phishing campaign abusing Entra ID, Google OAuth links | news | SC Media
scworld.com
Open sourceMicrosoft Warns of New Phishing Attack Exploiting OAuth in Entra ID to Evade Detection
cybersecuritynews.com
Open sourcePhishing campaign exploits OAuth redirection to bypass defenses
securityaffairs.com
Open sourceMicrosoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets
thehackernews.com
Open sourceThreat actors weaponize OAuth redirection logic to deliver malware - Help Net Security
helpnetsecurity.com
Open sourceOAuth phishers make ‘check where the link points’ advice ineffective | CSO Online
csoonline.com
Open sourceMicrosoft: Hackers abuse OAuth error flows to spread malware
bleepingcomputer.com
Open sourceMicrosoft OAuth scams abuse redirects for malware delivery • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
Mar 21, 2026
OAuth Device Code and Malicious App Abuse to Gain Persistent Access in Microsoft Entra ID/Microsoft 365
Threat actors are increasingly abusing **OAuth** in *Microsoft Entra ID* and *Microsoft 365* to obtain **access/refresh tokens** that provide durable access even when passwords are reset and MFA is enabled. Reported activity includes both (1) **malicious OAuth app** registrations and deceptive consent prompts that masquerade as legitimate “business integrations,” and (2) abuse of the **OAuth 2.0 Device Authorization Grant** (device code flow) where victims authenticate on Microsoft’s legitimate device login portal, making the intrusion harder to detect with credential-focused controls. Multiple reports describe campaigns targeting business users and organizations (including technology, manufacturing, and financial sectors) to access resources such as **Outlook, Teams, and OneDrive** and to enable mailbox actions and data access under seemingly legitimate application activity. Research and incident reporting highlight that attackers can persist via **service principals** created in victim tenants after consent is granted, and that some integrations may remain effective even if the consenting user is later disabled; separate reporting also describes **device-code vishing/phishing** that leverages legitimate Microsoft OAuth client IDs and standard login workflows to capture tokens without attacker-hosted phishing pages, with one source attributing the vishing activity to **ShinyHunters** (unconfirmed by Microsoft at the time of reporting).
Mar 21, 2026
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
Mar 21, 2026