{"id":220059,"date":"2026-03-03T04:20:00","date_gmt":"2026-03-03T09:20:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/03\/microsoft-warns-oauth-redirect-abuse-delivers-malware-to-government-targets\/"},"modified":"2026-03-05T01:15:09","modified_gmt":"2026-03-05T06:15:09","slug":"microsoft-warns-oauth-redirect-abuse-delivers-malware-to-government-targets","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/03\/microsoft-warns-oauth-redirect-abuse-delivers-malware-to-government-targets\/","title":{"rendered":"Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets"},"content":{"rendered":"

Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/03\/microsoft-warns-oauth-redirect-abuse.html<\/a><\/p>\n

Publish Date: 2026-03-03 04:20:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Mar 03, 2026<\/span><\/span>Phishing \/ Malware<\/span><\/p>\n

Microsoft on Monday warned of phishing campaigns that employ phishing emails and OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers.<\/p>\n

The activity, the company said, targets government and public-sector organizations with the end goal of redirecting victims to attacker-controlled infrastructure without stealing their tokens. It described the phishing attacks as an identity-based threat that takes advantage of OAuth’s standard, by-design behavior rather than exploiting software vulnerabilities or stealing credentials.<\/p>\n

“OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows,” the Microsoft Defender Security Research Team said.<\/p>\n

“Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages. This technique enables the creation of URLs that appear benign but ultimately lead to malicious destinations.”<\/p>\n

The starting point of the attack is a malicious application created by the threat actor in a tenant under their control. The application is configured with a redirect URL pointing to a rogue domain that hosts malware. The attackers then distribute an OAuth phishing link that instructs the recipients to authenticate to the malicious application by using an intentionally invalid scope.<\/p>\n

The result of this redirection is that users inadvertently download and infect their own devices with malware. The malicious payloads are distributed in the form of ZIP archives, which, when unpacked, result in PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity, Microsoft said.<\/p>\n

\"\"<\/p>\n

The ZIP file contains a Windows shortcut…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets https:\/\/thehackernews.com\/2026\/03\/microsoft-warns-oauth-redirect-abuse.html Publish Date: 2026-03-03 04:20:00…<\/p>\n","protected":false},"author":1,"featured_media":220060,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgVaGXK9F-m4oJx6H9HD0gQaOmONLT8sEFgtKmoGO4k6MzjQY-bfbtoGrUcG2k7tH571M_K6Ej7P5Z5vtjuCYsrKU3tRpOE2fkZv_ViiEmjpUeYwwHTB_8oKlQZd2-VysqvPgdvaofwFi13iPjMSe1pjf0nudP2s4YvheFQHwvsQT8neGjKTPq7nA_PPn0x\/s1600\/ms-login.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,25,34],"class_list":["post-220059","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220059"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=220059"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220059\/revisions"}],"predecessor-version":[{"id":220061,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220059\/revisions\/220061"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/220060"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=220059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=220059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=220059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}