Weaponized OAuth: Government and Public Sector Targeted in Malicious Redirection Campaign
Microsoft researchers have identified active campaigns abusing OAuth redirection to steer government and public sector entities toward malicious sites. The att…
A link pointing to login.microsoftonline.com can deliver an endpoint directly to an attacker without stealing credentials or tokens. This is not a bug; it is an exploitation of the intended OAuth 2.0 workflow.
Threat actors are currently leveraging this mechanism to drive government and public administration targets toward controlled sites and multi-stage payloads, with pre-ransomware activity observed in the field.
"The attacker does not obtain the user’s access token, as the sign-in fails with error code 65001, indicating the user has not granted the application permission to access the resource."
Turning OAuth Errors into Attack Tunnels
The mechanism relies on the OAuth 2.0 authorization endpoint. An attacker registers an application with a redirect_uri under their control and then distributes links that appear to lead to login.microsoftonline.com. Within the URL, parameters such as response_type=code and prompt=none request silent authentication, while a deliberately invalid scope makes the operation impossible.
According to protocol specifications, the identity provider must still redirect the browser to the registered URI, attaching error parameters and session state. The victim ends up on a hostile domain without any token compromise occurring. From that point, the attacker-controlled site can trigger automatic downloads of ZIP archives containing LNK files and HTML smuggling loaders, initiating the local execution chain.
The result is an attack that bypasses the first line of defense without the need for stolen credentials, browser exploits, or prior email compromise. The user only needs to click a seemingly innocent link managed by a trusted identity provider to trigger the chain.
This campaign is not a classic OAuth consent phishing attack, where a user grants permissions to a malicious app. In this case, the application is already registered or compromised by the attacker, and the user is pushed toward the redirect_uri without any token being stolen, as the login fails with error 65001.
Social Engineering: Lures Exploiting Institutional Trust
Microsoft observed phishing lures adopting themes related to e-signatures, social security, finance, and politics. In some instances, the malicious link was embedded within PDF documents or accompanied by fake .ics calendar attachments—deliveries designed to mimic official institutional communications. The choice of targets is deliberate: campaigns explicitly target government and public sector organizations, exploiting users' familiarity with digital administrative procedures.
The decision to hide links in PDFs or fake .ics calendars suggests a focus on the daily workflows of public employees, who routinely receive meeting invitations, forms, and institutional notices. This familiarity lowers the user's guard and delays verification of the link's true destination.
From Malicious Links to DLL Side-Loading: The Infection Chain
Once activated, the download leads to a ZIP archive containing LNK files and HTML smuggling loaders. The LNK file executes PowerShell commands for local reconnaissance, such as ipconfig /all and tasklist, gathering preliminary information on the compromised system.
In sequence, the chain extracts steam_monitor.exe, crashhandler.dll, and crashlog.dat, utilizing a classic DLL side-loading technique: the legitimate executable loads the malicious library, which decrypts crashlog.dat and executes the payload in memory. From that point, researchers have observed hands-on-keyboard activity and pre-ransomware signals, indicating that endpoint compromise is merely a prelude to subsequent maneuvers.
Why Traditional Phishing Filters Fall Short
The fundamental issue is that the URL shown in the address bar belongs to a legitimate and highly trusted domain: login.microsoftonline.com. Traditional anti-phishing filters often rely on domain reputation and do not analyze the internal redirection flow of the OAuth 2.0 protocol. Users accustomed to corporate SSO workflows perceive no anomalies until they land on the attacker-controlled site, by which time the payload download has already begun.
Secure Email Gateways (SEGs) and corporate URL filters inspect the link received via email but do not inspect the OAuth redirection flow handled by the browser.
Once the identity provider issues the redirect to the malicious redirect_uri, the process moves outside the gateway's visibility.
For Security Operations Centers (SOCs), a key behavioral indicator is the sequence in which an OAuth error with code 65001 or interaction_required is immediately followed by an automatic download of ZIP archives containing LNK files or executable/DLL pairs like steam_monitor.exe and crashhandler.dll.
For traditional defenses, this represents a paradigm shift: the danger no longer arrives from a compromised or spoofed domain, but via a legitimate path within a trusted cloud infrastructure. The realization that even login.microsoftonline.com can serve as a bridge to hostile sites must become a pillar of modern corporate threat modeling.
Microsoft Entra has disabled the identified malicious OAuth applications, but related activities persist and require continuous monitoring.
Defensive Strategies and Mitigation
- Inspect redirect_uris: Audit OAuth applications registered in Microsoft Entra for external or anomalous redirection endpoints, following Microsoft’s action to disable identified malicious apps.
- Monitor OAuth Errors: Analyze authentication logs for 65001 or
interaction_requirederrors associated with invalid scopes and redirects to non-corporate domains, which may indicate a forced transition to hostile infrastructure. - Correlate Errors with Endpoint Downloads: Instruct SOC teams to flag any sequence where an OAuth error flow toward an unknown
redirect_uriprecedes the download of ZIP files containing LNK files or pairs such assteam_monitor.exeandcrashhandler.dll. - Control Automatic Downloads: Alert endpoint security teams to the appearance of ZIP archives containing LNK files or file pairs like
steam_monitor.exeandcrashhandler.dll, which are known indicators of this infection chain. - Reduce Implicit Trust in Microsoft Links: Update security awareness procedures to highlight that even URLs with legitimate OAuth domains can hide dangerous redirects, particularly in emails regarding e-signatures or social security.
The abuse of OAuth redirection demonstrates how modern authentication protocols, designed to simplify access, can be inverted into advanced social engineering vectors. As long as the specification considers error redirection legitimate, the line of defense can no longer rely solely on domain reputation; it must shift toward monitoring flow and endpoint behavior. For public administrations, the message is clear: blind trust in corporate SSO flows has become a measurable operational risk.
- Attackers construct URLs with
response_type=code,prompt=none, and invalid scopes to triggerinteraction_requirederrors and redirect browsers to a maliciousredirect_uri, carrying error and session parameters. - Victims include government and public sector organizations targeted through lures involving e-signatures, social security, finance, and politics, with links hidden in PDFs or fake .ics attachments.
- Microsoft confirms the attacker does not obtain the victim's access token; the login fails with error 65001, and the objective is solely redirection to an attacker-controlled site.
- The final payload deploys in multiple stages—from ZIP archives and LNK files to PowerShell commands, DLL side-loading via
steam_monitor.exeandcrashhandler.dll, ending in C2 connections and pre-ransom hands-on-keyboard activity.
Editorial Note: Analysis based on the Microsoft Security Blog report; consider the commercial orientation of recommendations citing proprietary tools.
Information verified against cited sources and updated at the time of publication.