Overview
- Researchers detail phishing campaigns that craft OAuth authorization requests with invalid scopes or silent prompts to trigger error-handling redirects to attacker domains.
- Targets receive emails themed around e‑signatures, Teams recordings, password resets, or political and financial topics, with links in the message or embedded within PDFs.
- Actors pass victim emails through the OAuth state parameter to auto-populate phishing pages, using mass-sending tools, custom Python and Node.js scripts, and cloud services.
- Some operations route users to EvilProxy adversary‑in‑the‑middle kits to capture credentials and session cookies instead of delivering malware directly.
- In malware-delivery cases, redirects auto-download ZIP files containing LNK and HTML smuggling loaders that execute PowerShell, side‑load a malicious DLL via steam_monitor.exe, decrypt a payload, and establish C2; Microsoft disabled observed OAuth apps and recommends limiting user consent, pruning overprivileged apps, and enforcing Conditional Access with cross-domain detection.