Home / Technology / Microsoft Warns: OAuth Redirects Fuel Malware Attacks
Microsoft Warns: OAuth Redirects Fuel Malware Attacks
3 Mar
Summary
- Hackers exploit OAuth feature to deliver malware and steal credentials.
- Phishing emails impersonate Teams recordings or password resets.
- Payloads delivered via ZIP archives with LNK shortcuts and HTML smuggling.
Microsoft is alerting organizations to a sophisticated attack campaign that leverages a redirect feature in OAuth, a system enabling secure third-party logins. Attackers are sending phishing emails to government and public sector entities, frequently themed around Microsoft Teams recordings or M365 password resets. These emails contain malicious links that trigger an OAuth error, redirecting unsuspecting users to attacker-controlled websites. This tactic allows attackers to quickly change compromised landing pages, evading security filters. One observed attack involved a ZIP archive download containing LNK shortcuts. Executing these shortcuts initiated PowerShell commands, which then deployed a malicious DLL via a legitimate executable to deliver the final malware payload and establish an external command and control connection. The victims' credentials were not compromised directly on the OAuth page, but rather used as a conduit to deliver the malware.
