Microsoft has warned that hackers are exploiting a feature within OAuth to launch a sophisticated phishing campaign. The hackers reportedly aim to deliver malware instead of simply stealing login details. They abuse a legitimate redirect function to move victims from trusted authentication pages to malicious sites. The tactic targets government and public sector organizations and uses curated emails to trigger the attack.
Microsoft warns its users of a new OAuth login phishing campaign
In a recent targeted wave of attacks, threat groups are carefully sending emails that appear to reference Teams meeting recordings or urgent Microsoft 365 password reset notices. Each message includes a link embedded with manipulated parameters. Those are designed to interact with the OAuth system. When recipients click the link, the legitimate login page appears, but it deliberately triggers an error. That error starts the redirect feature, seamlessly forwarding users to a website controlled by hackers.
Once the users are redirected, they land on a phishing-as-a-service platform hosting malicious files. In one of the cases, users were sent to a download path that delivered a compressed ZIP archive. Inside were shortcut files and HTML smuggling components that executed a hidden PowerShell command when opened. It ultimately launches a legitimate executable paired with a side-loaded malicious DLL. The process establishes an outbound command connection.
Users are advised against clicking on any unknown emails or links
In the same report, Microsoft has added that the OAuth login page itself was not responsible for credential theft in these incidents. The authentication process functioned as designed. Moreover, the victims did not surrender their passwords on the official screen. Instead, the redirect capability was misused purely as a delivery mechanism for malware.
The tech giant has urged organizations to strengthen their email filtering systems. They are also advised to review application redirect configurations and educate staff about advanced phishing tactics. Further, the scale of the campaign remains unclear for now. However, the officials believe vigilance is critical as threat actors are adopting advanced techniques to trick victims into installing unknown malware files.
