OAuth Error Flows Weaponized: Identity Redirects as Malware Delivery

March 4, 2026 Faeem BLOGS, MICROSOFT 0

Microsoft researchers have uncovered a new phishing technique that abuses OAuth redirection mechanisms to bypass traditional protections and deliver malware. By exploiting how authorization errors are handled, attackers are turning a legitimate identity feature into a stealthy delivery channel.

How the Attack Works

  • Malicious OAuth apps: Threat actors register applications in tenants they control.
  • Redirect URI abuse: Apps are configured to point to attacker infrastructure.
  • Silent authentication: Invalid parameters (e.g., scope, prompt=none) trigger errors that force automatic redirects.
  • Phishing payloads: Victims land on attacker‑in‑the‑middle (AiTM) pages like EvilProxy, which intercept valid session cookies to bypass MFA.
  • Malware delivery: Some redirects lead to /download paths that drop ZIP files containing malicious .LNK shortcuts and HTML smuggling tools.

Attack Chain

  1. Phishing lure: Emails with OAuth redirect URLs disguised as e‑signature requests, password resets, or financial notices.
  2. Redirect error: Invalid OAuth parameters force redirection to attacker URI.
  3. Phishing page: AiTM frameworks capture credentials and MFA tokens.
  4. Malware drop: ZIP file delivers .LNK → PowerShell → DLL side‑loading → final payload execution.
  5. Persistence: Decoy executables distract victims while malicious DLLs load encrypted payloads.

Why It Matters

  • Identity abuse: Attackers exploit intended OAuth behavior, not a bug.
  • MFA bypass: Session cookie theft undermines multi‑factor protections.
  • Cross‑domain risk: Campaigns span email, identity, and endpoint vectors.
  • Legitimacy illusion: Redirects appear to originate from trusted Microsoft Entra ID endpoints.

Defensive Recommendations

  • Tighten OAuth permissions: Limit app registration and enforce admin consent.
  • Conditional Access: Apply strong identity policies to block risky sign‑ins.
  • Cross‑domain detection: Correlate signals across email, identity, and endpoints.
  • User awareness: Train staff to scrutinize redirect URLs, even if they look legitimate.
  • Malware monitoring: Watch for .LNK and DLL side‑loading activity post‑redirect.

Final Thought

This campaign highlights a critical truth: attackers don’t just exploit vulnerabilities — they exploit standards. For leaders, the takeaway is clear: identity protections must evolve beyond MFA, incorporating cross‑domain visibility and strict OAuth governance to counter adversaries who weaponize legitimate flows.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.