Microsoft has issued a warning regarding sophisticated phishing campaigns that exploit OAuth URL redirection to circumvent traditional security measures in emails and browsers. Instead of stealing credentials directly, attackers use malicious applications and manipulated parameters within identity providers like Entra ID or Google Workspace to redirect users to infrastructure hosting malware, leveraging legitimate OAuth features for malicious purposes.
Once a user is redirected, the attack typically leads to the download of a ZIP archive containing a Windows shortcut (LNK). Opening this file triggers a chain of events including PowerShell-based host reconnaissance and DLL side-loading using legitimate binaries like steam_monitor.exe. These techniques ultimately allow threat actors to establish command-and-control (C2) connections and perform hands-on-keyboard activity or prepare for ransomware deployment.
Top comments (0)