- Microsoft warns that hackers are abusing OAuth redirect feature to distribute malware
- Phishing emails related to Teams recordings or 365 resets redirect victims to attacker-controlled sites
- Payloads sent via ZIP files with LNK shortcuts and HTML smuggling; The final stage connects to the external C2.
Hackers are abusing a redirect feature in OAuth to infect people’s computers with malware and steal their login credentials, Microsoft warns.
OAuth (short for Open Authorization) is a system that allows users to log into websites using their account from another service, without giving their password to that website. Whenever a “Sign in with Google” pop-up appears, it is most likely OAuth.
This system has a redirect feature that identity providers can use to send visitors to a different landing page, usually if the process fails, but Microsoft says this feature is being abused.
Downloading the payload
In recently detected attacks, criminals sent phishing emails to government and public sector organizations, typically related to Teams meeting recordings or Microsoft 365 password reset requests. These emails would contain a link with carefully crafted parameters that, if clicked, would open OAuth and cause an error.
Due to the bug, users would be redirected to a phishing-as-a-service website owned by the attacker, where malicious payloads are hosted.
“By hosting the payload in an application redirect URI under their control, attackers can quickly rotate or change redirected domains when they are blocked by security filters,” Microsoft explained in a blog post.
In one observed attack, victims were redirected to a /download/XXXX path that downloaded a ZIP file. That file contained LNK shortcuts and HTML bootloaders, and when victims opened the shortcut files, they triggered a PowerShell command. That command in turn executed discovery commands and launched a legitimate executable which, with the help of a malicious side-loading DLL, executed the final payload.
The result was an outbound connection to an external C2 endpoint.
It is worth emphasizing that the victims did not lose their login credentials on the OAuth page; it was only used as a redirect function to remove a payload. At this time, we do not know how widespread the campaign is or how many government organizations were affected.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
