By rssfeeds-admin 
These campaigns target government and public-sector groups, dodging email filters by mimicking legit authentication flows.
Attackers skip credential theft or vulnerability exploits, instead weaponizing trusted protocol redirects to slip malware past defenses.
Attack Mechanics and Flow
Adversaries register malicious apps in their tenant, pointing redirect URIs to phishing or malware hosts.
They blast phishing emails with lures like e-signature requests, fake Teams invites, or password resets.
Victims clicking links hit a silent OAuth flow rigged with prompt=none and scope=invalid parameters. This forces an error redirect sans UI, making the URL look clean to users and scanners.
The state parameter carries the victim’s email encoded in Base64, hex, or custom schemes to auto-fill phishing pages, boosting realism.
Victims land on tools like EvilProxy for session hijacking or auto-download a ZIP with a booby-trapped LNK file.
PowerShell runs host recon, then sideloads crashhandler.dll via legit steam_monitor.exe for C2 callback.
No CVEs tie directly to this; it’s protocol abuse per RFC 6749/9700, which flags error redirects as risky (RFC 9700 Sec. 4.11.2).
| Detection Type | Indicator/Component Details | Context/Source |
|---|---|---|
| URL Parameters | prompt=none, scope=invalid |
Triggers silent error redirect |
| File Artifacts | steam_monitor.exe, crashhandler.dll, crashlog.dat |
DLL side-loading payload |
| Defender Signatures | Trojan:Win32/Malgent, Trojan:Win32/Znyonm, Trojan:Win32/WinLNK | Malware detections |
| Error Codes | Error 65001, error=interaction_required |
Failed SSO, successful redirect |
Block this via OAuth governance, not patches. Audit apps, curb user consent, and enforce Conditional Access.
| Mitigation Category | Recommended Action |
|---|---|
| App Governance | Audit overprivileged OAuth apps regularly |
| Access Controls | Enforce Conditional Access and ID protection |
| Telemetry | Use XDR for cross-signal correlation |
| Behavioral Hunt | Flag PowerShell/LNK/DLL anomalies |
Hunt URL clicks with bad scopes, ZIP downloads post-redirect, PowerShell from LNKs, and DLL side-loading. Deploy XDR for email-identity-endpoint correlation.
Act fast, hunt these IOCs now to shield Entra tenants.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Microsoft Warns of Advanced Phishing Campaign Abusing OAuth in Entra ID appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.