Cybersecurity

Cyber: Microsoft: Hackers Abuse Oauth Error Flows To Spread Malware

2026-03-03 0 views admin
Cyber: Microsoft: Hackers Abuse Oauth Error Flows To Spread Malware

Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages.

The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application, Microsoft Defender researchers say.

with e-signature requests, Social Security notices, meeting invitations, password resets, or various financial and political topics that contain OAuth redirect URLs. Sometimes, the URLs are embedded in PDF files to evade detection.

OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources.

In the campaigns observed by Microsoft, the attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure.

The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker.

Microsoft found that the ‘state’ parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy.

In other instances, the victims are redirected to a ‘/download’ path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools.

Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading.

A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim.

Source: BleepingComputer

🏷️ Tags

securityhackmalwareattack

More from Cybersecurity

Cyber: Security Facebook Accounts Unavailable In Worldwide Outage

Cyber: Security Facebook Accounts Unavailable In Worldwide Outage

2026-03-03 0
Cyber: Latest Vehicle Tire Pressure Sensors Enable Silent Tracking 2026

Cyber: Latest Vehicle Tire Pressure Sensors Enable Silent Tracking 2026

2026-03-03 0
Cyber: Qualcomm Zero-day Exploited In Targeted Android Attacks 2026

Cyber: Qualcomm Zero-day Exploited In Targeted Android Attacks 2026

2026-03-03 0
Cyber: Speakeasies To Shadow Ai: Banning AI Browsers Will Fail 2026

Cyber: Speakeasies To Shadow Ai: Banning AI Browsers Will Fail 2026

2026-03-03 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views