OAuth Hijack: Phishing Campaigns Weaponize Legitimate Redirection to Bypass Defenses
Ddos 
Microsoft Defender researchers have exposed a series of sophisticated phishing campaigns that exploit the inherent trust in the OAuth protocol. By manipulating legitimate URL redirection functionality, threat actors are successfully bypassing conventional email and browser security filters to deliver malicious payloads and conduct identity reconnaissance.
The attack begins with a subtle manipulation of how identity providersβsuch as Entra ID or Google Workspaceβhandle user redirection. OAuth includes a native feature that allows these providers to send users to a specific landing page after an authentication flow, typically used for error handling.
Threat actors are now weaponizing this “redirect URI” by crafting URLs that appear entirely benign. As the Microsoft report explains, “Attackers can abuse this native functionality by crafting URLs with popular identity providers… that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages”. Because the initial link points to a trusted domain like microsoft.com or google.com, it often sails past security scanners that rely on domain reputation.
The investigation identified a specific five-stage attack chain that transitions from credential harvesting to full system compromise:
- The Lure: Attackers distribute phishing links prompting targets to authenticate a malicious application in an actor-controlled tenant.
- The Redirect: Once authenticated, the legitimate OAuth flow kicks in, but instead of a standard landing page, the victim is funneled to an attacker-controlled site.
- The Payload: Researchers observed a campaign where victims were sent to a specific /download/ path, where a ZIP file was automatically downloaded to the device.
Extraction of the malicious ZIP archives revealed a “hands-on-keyboard” level of sophistication. The archives contained LNK shortcut files that, when opened, triggered a PowerShell reconnaissance phase.
The most alarming discovery involved the abuse of legitimate software to hide malicious activity. “The script initiated host reconnaissance… [and] then launched the legitimate steam_monitor.exe, which was leveraged to side-load the malicious crashhandler.dll,” researchers noted. This malicious DLL then decrypted a data file (crashlog.dat) to execute the final payload in memory, establishing a persistent connection to the attackers’ command-and-control (C2) endpoint.
Microsoft has already moved to mitigate the threat by identifying and removing several malicious OAuth applications used in these campaigns. However, the use of legitimate redirection parameters remains a potent challenge for traditional defenses.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
