Microsoft Reports OAuth Redirect Abuse Used to Deliver Malware to Government Targets
Microsoft reported phishing campaigns targeting government and public-sector organizations that abuse legitimate OAuth redirect behavior in identity providers (including Microsoft Entra ID and Google Workspace) to send victims from seemingly benign authorization URLs to attacker-controlled infrastructure. The technique does not rely on exploiting a software vulnerability or stealing OAuth tokens; instead, attackers register a malicious OAuth application in a tenant they control, then send victims an OAuth link that triggers an error flow (e.g., via an intentionally invalid scope) to force a redirect to a rogue domain hosting malware. Microsoft said the delivered payloads have included ZIP archives that lead to execution chains involving LNK-based execution, PowerShell, and DLL side-loading, consistent with follow-on hands-on-keyboard or pre-ransomware activity.
Microsoft stated it disabled the identified malicious OAuth applications in Entra ID, but warned that related OAuth abuse activity persists and requires continued monitoring. Reported lures used in the phishing emails included e-signature requests, access to Teams meeting recordings, Microsoft 365 password reset instructions, and political themes; Microsoft also observed indicators consistent with the use of free mass-mailing tools and custom tooling (including Python and Node.js) to distribute the campaigns and deliver malware capable of endpoint takeover.
Related Entities
Malware
Organizations
Affected Products
Sources
3 more from sources like cso online, register security and bleeping computer
Related Stories
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
2 weeks ago
OAuth Device Code and Malicious App Abuse to Gain Persistent Access in Microsoft Entra ID/Microsoft 365
Threat actors are increasingly abusing **OAuth** in *Microsoft Entra ID* and *Microsoft 365* to obtain **access/refresh tokens** that provide durable access even when passwords are reset and MFA is enabled. Reported activity includes both (1) **malicious OAuth app** registrations and deceptive consent prompts that masquerade as legitimate “business integrations,” and (2) abuse of the **OAuth 2.0 Device Authorization Grant** (device code flow) where victims authenticate on Microsoft’s legitimate device login portal, making the intrusion harder to detect with credential-focused controls. Multiple reports describe campaigns targeting business users and organizations (including technology, manufacturing, and financial sectors) to access resources such as **Outlook, Teams, and OneDrive** and to enable mailbox actions and data access under seemingly legitimate application activity. Research and incident reporting highlight that attackers can persist via **service principals** created in victim tenants after consent is granted, and that some integrations may remain effective even if the consenting user is later disabled; separate reporting also describes **device-code vishing/phishing** that leverages legitimate Microsoft OAuth client IDs and standard login workflows to capture tokens without attacker-hosted phishing pages, with one source attributing the vishing activity to **ShinyHunters** (unconfirmed by Microsoft at the time of reporting).
3 weeks ago
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
1 months ago