top of page
Buscar

OAuth Redirect Abuse: When Identity Flows Become Malware Delivery Channels

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 1 día
  • 4 Min. de lectura

Security researchers at Microsoft have warned of phishing campaigns that exploit legitimate OAuth redirect mechanisms from identity providers such as Microsoft Entra ID and Google Workspace to bypass traditional email and browser phishing protections. Instead of stealing tokens or exploiting vulnerabilities, attackers abuse OAuth’s normal behavior to redirect government and public-sector victims to malicious infrastructure that delivers malware or phishing frameworks.

This technique illustrates a growing category of identity-based threats, where attackers manipulate authentication workflows rather than exploiting software flaws, enabling malicious links that appear legitimate because they originate from trusted identity platforms.


Phase 1 — Identity Abuse: Manipulating OAuth Redirect Logic


OAuth authentication flows allow identity providers to redirect users to specific URLs after authentication or during error scenarios. This behavior is legitimate and widely used across modern cloud identity systems.

Threat actors exploit this feature by creating malicious OAuth applications within tenants under their control. These applications are configured with redirect URLs pointing to attacker-controlled domains hosting malware or phishing infrastructure.

The attackers then craft OAuth links that appear to originate from trusted identity services such as Entra ID or Google Workspace. These links often contain manipulated parameters, including intentionally invalid scopes, which trigger the redirection behavior.

Because the link begins with a trusted identity provider, email filters and browser security controls are far less likely to block it.


Phase 2 — Phishing Delivery and Social Engineering


The attack chain typically begins with phishing emails sent to government and public-sector organizations.

To increase credibility and improve click rates, attackers use themes that resemble common workplace communications, including:

  • Electronic signature requests

  • Microsoft Teams meeting recordings

  • Social security or administrative notices

  • Financial documents

  • Political communications

The phishing emails are distributed through mass-mailing tools and custom scripts written in Python and Node.js.

Links may appear directly in the email body or embedded inside PDF attachments, further disguising the malicious redirect.

To make the phishing pages appear even more legitimate, attackers encode the victim’s email address inside the OAuth state parameter, which allows the phishing page to automatically display the correct email address during the authentication flow.


Phase 3 — OAuth Redirect and Malware Delivery


Once the victim clicks the link and authenticates to the malicious OAuth application, the authentication process triggers the configured redirect to attacker infrastructure.

The victim is then prompted to download a ZIP archive containing the next stage of the infection chain.

Inside the archive is a Windows shortcut (LNK) file designed to execute a PowerShell command when opened. The PowerShell script initiates reconnaissance of the infected system by running discovery commands.

The LNK script also extracts an MSI installer, which performs two key actions:

  1. Displays a decoy document to distract the victim.

  2. Executes a legitimate binary called steam_monitor.exe.

The legitimate binary is abused to perform DLL sideloading, loading a malicious library named crashhandler.dll.


Phase 4 — Payload Execution and Command-and-Control


After being loaded through the sideloading technique, the malicious DLL decrypts an encrypted file called crashlog.dat.

The decrypted payload is executed directly in memory, allowing it to avoid many traditional antivirus detections.

Once active, the malware establishes communication with an external command-and-control (C2) server, allowing attackers to maintain remote access and continue post-exploitation activities.

The malware chain supports several malicious operations, including:

  • System reconnaissance

  • Malware staging and deployment

  • Remote command execution

  • Hands-on-keyboard attacker activity


Phase 5 — Credential Theft via Adversary-in-the-Middle


In some variants of the campaign, the OAuth redirect does not deliver malware but instead forwards victims to phishing frameworks such as EvilProxy.

These frameworks implement adversary-in-the-middle (AitM) techniques that intercept login sessions between the user and the legitimate authentication service.

Through this mechanism, attackers can capture:

  • User credentials

  • Session cookies

  • Active authentication tokens

This allows attackers to bypass multifactor authentication protections and gain direct access to the victim’s cloud accounts.


Measures to Fend Off the Attack


Organizations can significantly reduce exposure to OAuth-based phishing campaigns by implementing stronger identity governance and endpoint detection practices.

• Restrict user consent for OAuth applications, especially in government and high-risk environments

• Regularly review and remove unused or over-privileged applications in identity tenants

• Monitor authentication logs for suspicious OAuth redirects or abnormal application registrations

• Detect encoded or unusual state parameters within OAuth requests

• Block or investigate downloads triggered through identity provider redirects

• Monitor execution of LNK files, PowerShell commands, and MSI installers from email attachments

• Detect DLL sideloading activity involving legitimate binaries

• Deploy behavior-based endpoint detection and response (EDR) to identify in-memory malware execution


The OAuth redirect abuse campaign demonstrates how attackers increasingly target identity workflows rather than software vulnerabilities.

By leveraging trusted authentication providers such as Entra ID and Google Workspace, threat actors can craft phishing links that appear legitimate and evade many traditional security controls.


The technique highlights the growing importance of identity security and OAuth governance, particularly for government and public-sector organizations that rely heavily on cloud identity platforms.


Defending against this new generation of identity-based threats requires organizations to move beyond simple phishing detection and implement deeper monitoring of authentication flows, application permissions, and endpoint behavior across their environments.



The Hacker News


 
 
 

Comentarios

bottom of page