Microsoft has alerted organizations about a series of ongoing OAuth abuse scamsgovernment and public-sector organizations.
Nature of the Threat
The phishing campaigns leverage the legitimate features of the OAuth protocol, which is widely used for online authorization through third-party credentials. Attackers exploit the redirect functionality of OAuth to create malicious links that lead users to attacker-controlled landing pages, resulting in the download of malware onto their devices.
Phishing Tactics Employed
According to Microsoft, the phishing emails often contain enticing messages, such as requests for e-signatures, access to recordings of Teams meetings, or instructions for resetting Microsoft 365 passwords. These messages are designed to manipulate users into clicking on malicious links. The attackers have been observed using both free mass-sending tools and custom solutions developed in programming languages like Python and Node.js.
Technical Mechanisms of the Attack
In one documented campaign, the attackers aimed to deliver a malicious payload via an executable file that would grant them full access to the victim’s endpoint. The phishing links redirect victims from an OAuth authentication page to phishing-as-a-service websites, such as EvilProxy, allowing the criminals to capture users’ credentials and session cookies.
Response and Ongoing Risks
While Microsoft’s Entra service has disabled the malicious OAuth applications, the company warns that related OAuth activity continues and necessitates ongoing monitoring. The attackers are not primarily focused on stealing access tokens; instead, they aim to generate error codes during sign-in attempts that redirect victims to malicious payloads. By controlling the redirect domains, attackers can quickly adapt their strategies when security measures block their previous methods.
As these scams evolve, the implications for cybersecurity in the public sector are significant, necessitating increased vigilance and adaptive security measures to counteract these sophisticated phishing tactics.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
