- Microsoft warns hackers are abusing OAuth redirect feature to deliver malware
- Phishing emails themed around Teams recordings or 365 resets redirect victims to attacker-controlled sites
- Payloads dropped via ZIP archives with LNK shortcuts and HTML smuggling; final stage connects to external C2
Hackers are abusing a redirect feature in OAuth to infect people’s computers with malware and steal their login credentials, Microsoft is warning.
OAuth (short for Open Authorization) is a system which lets users log into websites using their account from another service, without giving that website their password. Whenever a “Log In With Google” popup is shown, it is most likely OAuth.
This system has a redirect feature which identity providers can use to send visitors to a different landing page, usually if the process triggers an error – but Microsoft says this feature is being abused.
Downloading the payload
In recently spotted attacks, the crooks would send phishing emails to government and public sector organizations, usually themed around Teams meeting recordings, or Microsoft 365 password reset requests. These emails would contain a link with carefully crafted parameters which, if clicked, would bring up OAuth and trigger an error.
Because of the error, the users would then be redirected to an attacker-owned phishing-as-a-service website, where malicious payloads are hosted.
“By hosting the payload on an application redirect URI under their control, attackers can quickly rotate or change redirected domains when security filters block them,” Microsoft explained in a blog post.
In one observed attack, the victims were redirected to a /download/XXXX path that downloaded a ZIP file. That archive contained LNK shortcuts and HTML smuggling loaders, and when victims opened the shortcut files, they triggered a PowerShell command. In turn, that command ran discover commands and launched a legitimate executable which, with the help of a side-loaded malicious DLL, executed the final payload.
The result was an outbound connection to an external C2 endpoint.
It is worth stressing that the victims did not lose their login credentials on the OAuth page – it was just used as a redirect feature to get a payload dropped. Right now, we don’t know how widespread the campaign is, or how many government organizations were affected.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/CT482eMSRL8PagRtuBVYNd-2000-80.jpeg
Source link
