A recent phishing campaign identified by Microsoft is leveraging cleverly constructed links to genuine OAuth services, ultimately redirecting users to sites distributing malware.
Microsoft has issued a warning regarding a new phishing tactic. Threat actors are exploiting a standard feature within the OAuth authentication protocol to redirect unsuspecting users to malicious software. These deceptive links appear to originate from legitimate identity providers like Microsoft Entra ID and Google Workspace, creating a false sense of security before leading victims to harmful destinations.
In a blog post, Microsoft’s Defender Security Research Team explained: “OAuth incorporates a legitimate function enabling identity providers to direct users to specific pages, often for error handling or other designated processes.” They further elaborated, “Malicious actors can misuse this inherent capability by designing URLs that leverage well-known identity providers, such as Entra ID or Google Workspace, employing altered parameters or linked harmful applications to reroute users to sites under their control.”
While Microsoft has taken action to disable multiple malicious OAuth applications involved in this scheme, the company cautions that similar campaigns persist, necessitating continuous vigilance and observation.
Understanding the Phishing Methodology
As described by Microsoft researchers in their blog post, these attacks typically commence with a phishing email. Common deceptive themes include fake e-signature requests, bogus HR communications, counterfeit Microsoft Teams meeting invitations, or fraudulent password reset notifications. The harmful links are either embedded directly within the email’s content or hidden inside attached PDF documents.
The deceptive link, while targeting a genuine OAuth authorization endpoint, is deliberately constructed with flawed parameters. Attackers exploit the “prompt=none” setting, which aims for silent authentication without a login prompt, combined with an invalid scope value. This intentional misconfiguration forces an authentication failure, prompting the identity provider to then redirect the user’s browser to a URI controlled and registered by the attacker.
The researchers noted in their blog post that “Even though this functionality adheres to established standards, adversaries are able to exploit it to divert users, via trustworthy authorization endpoints, to destinations orchestrated by them.”
Sanchit Vir Gogia, chief analyst at Greyhound Research, commented that this method signifies a fundamental change in how attackers target identity systems. He explained, “The initial redirect is genuine. The web browser functions as expected. The identity provider operates correctly. The trust indicator appears authentic.” He concluded, “This elevates phishing from mere brand-level deception to sophisticated manipulation within the workflow itself.”
Microsoft’s blog post detailed a specific campaign where the redirection resulted in a ZIP archive being downloaded to the victim’s device. This archive contained a malicious shortcut file. Executing this file initiated a PowerShell script, which proceeded to execute reconnaissance commands and establish a connection to a server managed by the attacker. Microsoft characterized the subsequent actions as indicative of pre-ransomware activities.
Additionally, the blog post outlined other campaigns where victims were directed to ‘adversary-in-the-middle’ frameworks, like EvilProxy, designed to pilfer credentials and session cookies.
New Warning Sign: Focus on Context, Not Just URLs
Sakshi Grover, a Senior Research Manager at IDC Asia/Pacific, pointed out that the traditional cybersecurity advice of hovering over a link to inspect its domain is largely outdated. This guidance, she explained, was formulated for an era dominated by deceptive lookalike domains and is less effective now, especially in environments where authentication processes regularly utilize trusted identity providers.
Grover advised, “Enterprises must evolve their awareness training from instructing users to ‘check the link’ to urging them to ‘validate the context.’ Personnel ought to be educated to critically assess if an authentication request is anticipated, if it corresponds with ongoing business operations, and if the permissions sought by the application are logical.”
Gogia further suggested that organizations need to implement more profound changes, altering fundamental user behavior. He stated, “Authentication processes should never be initiated from unexpected incoming links.” He emphasized, “Authentication ought to commence from designated, secure entry points, rather than being triggered by emails.” He also advocated for making the reporting of unanticipated login attempts effortless, highlighting that prompt reporting is more critical than an individual’s self-assuredness in their assessment.
The Exploited Governance Deficit
Both experts identified a more profound structural vulnerability exploited by this campaign: deficiencies in OAuth application governance.
IDC’s Grover observed that the level of governance maturity varies significantly among organizations. She noted, “Widespread default consent configurations and insufficient oversight of redirect URIs are still prevalent, especially in settings where the rapid adoption of cloud and SaaS solutions has outstripped the implementation of robust identity governance controls.”
Gogia from Greyhound Research highlighted that the full extent of this issue is often underestimated. He explained, “Each SaaS integration, automation workflow, and collaboration tool likely necessitates an application registration. Consequently, over time, tenants accumulate hundreds or even thousands of registered applications. The redirect URIs are established during initial configuration and are seldom reviewed.” He then pointed out, “While telemetry data is available, proper interpretation is lacking.”
In their blog post, Microsoft recommended that organizations limit user consent for third-party OAuth applications, routinely review app permissions, and decommission any applications that are redundant or possess excessive privileges. The post also provided 16 client IDs associated with the threat actors’ malicious applications, along with a compilation of initial redirection URLs, serving as indicators of compromise. For Microsoft Defender XDR subscribers, KQL hunting queries were supplied within the post to assist in detecting relevant activities across email, identity, and endpoint data.
Gogia cautioned that this technique will continue to be successful as long as organizations fail to address these vulnerabilities. He remarked, “This method doesn’t rely on cracking encryption; rather, it capitalizes on administrative oversight and inertia.”
Initially, this article was published by CSOonline.
