- Microsoft warns that hackers are abusing the OAuth redirection feature to deliver malware
- Phishing emails with the theme Teams recordings or 365 reset redirect victims to attacker-controlled websites
- Payload dropped via ZIP archives with LNK shortcuts and HTML smuggling; last stage connects to external C2
Hackers are abusing a redirection feature in OAuth to infect people’s computers with malware and steal their login credentials, Microsoft warns.
OAuth (short for Open Authorization) is a system that lets users log into websites using their account from another service, without giving the website their password. When a “Sign in with Google” popup appears, it’s most likely OAuth.
This system has a redirection feature that identity providers can use to send visitors to another landing page, usually if the process triggers an error – but Microsoft says this feature is being abused.
Downloading the payload
In recently discovered attacks, the crooks would send phishing emails to government and public sector organizations, usually with the theme of Teams meeting recordings or Microsoft 365 password reset requests. These emails would contain a link with carefully crafted parameters that, if clicked, would display OAuth and trigger an error.
Due to the flaw, users will then be redirected to a hacker-owned phishing-as-a-service website where malicious payloads are hosted.
“By hosting the payload on an application redirect URI under their control, attackers can quickly rotate or change redirected domains when security filters block them,” Microsoft explained in a blog post.
In one observed attack, victims were redirected to a /download/XXXX path that downloaded a ZIP file. This archive contained LNK shortcuts and HTML smuggling loaders, and when victims opened the shortcut files, they triggered a PowerShell command. In turn, this command ran discover commands and launched a legitimate executable which, using a sideloaded malicious DLL, executed the final payload.
The result was an outbound connection to an external C2 endpoint.
It’s worth emphasizing that the victims didn’t lose their login credentials on the OAuth side – it was just used as a redirection function to get a payload dropped. Right now we don’t know how widespread the campaign is or how many government organizations were affected.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
