OAuth Redirect Abuse Targets Government Agencies With Malware Delivery
Microsoft warns of phishing campaigns that exploit OAuth redirect flows to bypass email and browser defenses, steering government and public-sector victims to attacker-controlled landing pages. Attackers use a malicious OAuth app with a redirect URL to rogue domains; victims authenticate, triggering ZIP-delivered payloads that execute PowerShell, DLL sideloading, and in-memory malware to reach a remote C2 server. Some campaigns also employ EvilProxy for credential interception. Defenders are advised to limit user consent, review app permissions, and remove unused or overprivileged apps.