Microsoft: Hackers abuse OAuth error flows to spread malware

Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages.

The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application, Microsoft Defender researchers say.

with e-signature requests, Social Security notices, meeting invitations, password resets, or various financial and political topics that contain OAuth redirect URLs. Sometimes, the URLs are embedded in PDF files to evade detection.

Microsoft: Hackers abuse OAuth error flows to spread malware — **Microsoft 365 account warning lure**
*Source: Microsoft*

Forcing risky redirections

OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources.

In the campaigns observed by Microsoft, the attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure.

The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker.

In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections.

Microsoft found that the ‘state’ parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy.

In other instances, the victims are redirected to a ‘/download’ path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools.

Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading.

A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim.

Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

The company highlights that the observed attacks are identity-based threats that abuse an intended behavior in the OAuth framework that behaves as specified by the standard defining how authorization errors are managed through redirects.

The researchers warn that threat actors are now triggering OAuth errors through invalid parameters, such as scope or prompt=none, to force silent error redirects as part of real-world attacks.