Threat actors are leveraging the legitimate OAuth 2.0 redirection mechanism to conduct sophisticated phishing campaigns targeting government and public-sector entities. By registering malicious OAuth applications within attacker-controlled tenants, adversaries exploit the standard behavior of identity providers like Microsoft Entra ID. They intentionally trigger authentication errors via invalid parameters, forcing the provider to redirect victims to malicious infrastructure.
Once redirected, victims encounter credential-stealing pages powered by Adversary-in-the-Middle (AiTM) frameworks such as EvilProxy, which can bypass multi-factor authentication (MFA). Alternatively, the attack chain may lead to the delivery of ZIP files containing malicious LNK files and HTML smuggling tools. These components initiate a multi-stage infection process involving PowerShell reconnaissance and DLL side-loading to deploy final payloads while hiding behind legitimate processes.
Top comments (0)