"Criminals can abuse the feature by creating URLs with Microsoft Entra ID, Google Workspace, or another identity provider that redirect users to attacker-controlled landing pages where they unknowingly download malware. In one campaign documented by Microsoft, the miscreants attempted to deliver a malicious payload containing an executable file that gave attackers full access to the victim's endpoint."
"All of these campaigns begin with a phishing email, the text of which includes e-signature requests, the chance to access recordings of Teams meetings, Microsoft 365 password reset instructions, and political themes to trick users into clicking the malicious link."
"Indicators suggest these actors used free prebuilt mass-sending tools as well as custom solutions developed in Python and Node.js."
Microsoft security researchers identified coordinated OAuth abuse campaigns targeting government and public-sector organizations through phishing emails containing malicious URL redirects. Attackers exploit OAuth's legitimate redirect feature by creating URLs that appear to come from identity providers like Microsoft Entra ID or Google Workspace, directing users to attacker-controlled landing pages where malware is downloaded. Phishing emails use social engineering tactics including e-signature requests, Teams meeting recordings, password reset instructions, and political themes to deceive victims. The malicious payloads grant attackers full endpoint access. Attackers employed both free mass-sending tools and custom solutions built with Python and Node.js. Microsoft Entra disabled the malicious OAuth applications, though related activity continues requiring ongoing monitoring.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]