Overview
- Microsoft researchers say threat actors register malicious OAuth apps and craft failing authorization requests to redirect users from trusted login pages to attacker infrastructure.
- Targets include government and public‑sector organizations, with redirects leading either to phishing frameworks like EvilProxy that intercept session cookies or to automatic malware downloads.
- In documented cases, victims received ZIP archives containing LNK shortcuts and HTML smuggling loaders that launched PowerShell, performed reconnaissance, and enabled DLL side‑loading.
- The chain used a legitimate executable to load a malicious DLL (crashhandler.dll), which decrypted a payload (crashlog.dat) in memory and established command‑and‑control connections.
- Microsoft Entra disabled identified malicious apps but reports related OAuth abuse continues; recommended defenses include tighter app consent and permissions, Conditional Access, identity protections, and cross‑domain detection.