Full Report
Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. [...]
Analysis Summary
# Tool/Technique: OAuth Error Flow Redirection Abuse
## Overview
This technique involves the exploitation of the legitimate OAuth 2.0 error-handling mechanism to bypass security filters. Attackers craft malicious OAuth authorization requests with intentional parameter errors (such as invalid scopes). Because the OAuth standard dictates that errors must be reported back to the registered `redirect_uri`, the identity provider (e.g., Microsoft Entra ID) automatically forwards the victim’s browser to an attacker-controlled domain. This allows malicious links to appear as legitimate `login.microsoftonline.com` URLs, successfully bypassing email gateways and reputation-based browser protections.
## Technical Details
- **Type:** Technique (Phishing/Redirection)
- **Platform:** Windows, Web Browsers, Cloud Identity Providers (Microsoft Entra ID/Azure AD)
- **Capabilities:** Bypasses URL filtering, automates credential harvesting, delivers malware via HTML smuggling, and facilitates AitM (Adversary-in-the-Middle) attacks.
- **First Seen:** Reported March 2026 (Microsoft)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **TA0005 - Defense Evasion**
- T1204.001 - User Execution: Malicious Link
- T1572 - Protocol Tunneling (AitM)
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Legitimate Domain Abuse:** Uses trusted identity provider endpoints (e.g., Microsoft Entra ID) to mask the final destination of a phishing link.
- **Forced Redirection:** Triggers the `prompt=none` or invalid `scope` parameters to force the identity provider to execute a "silent" error redirection without user interaction.
- **Credential Pre-filling:** Misuses the OAuth `state` parameter to pass the victim's email address to the phishing landing page, increasing credibility.
### Advanced Features
- **AitM Integration:** Redirects victims to frameworks like **EvilProxy** to intercept session cookies and bypass Multi-Factor Authentication (MFA).
- **Multi-Stage Malware Delivery:** Uses HTML smuggling and ZIP archives containing malicious `.LNK` files to initiate local execution.
- **Evasive Execution:** Employs PowerShell for reconnaissance and **DLL Side-loading** (using `stream_monitor.exe` to load `crashhandler.dll`) to execute the final payload (`crashlog.dat`) in memory.
## Indicators of Compromise
- **File Names:**
- `stream_monitor.exe` (Legitimate executable used for side-loading)
- `crashhandler.dll` (Malicious loader)
- `crashlog.dat` (Encrypted payload)
- **Network Indicators:**
- `login.microsoftonline.com/common/oauth2/v2.0/authorize?...` (Standard URL prefix used in the attack)
- Various attacker-controlled `redirect_uri` domains [Defanged: hxxps[://]attacker-domain[.]com/oauth/callback]
- **Behavioral Indicators:**
- PowerShell execution initiated by `cmd.exe` via an `.LNK` file.
- Unexpected outbound connections from `stream_monitor.exe`.
- Identity provider logs showing frequent OAuth authorization errors (e.g., `invalid_scope`).
## Associated Threat Actors
- Unknown/Unspecified (Targeting government and public-sector organizations).
## Detection Methods
- **Behavioral Detection:** Monitor for OAuth authorization requests containing the `prompt=none` parameter or unusual/invalid scopes originating from external or newly created applications.
- **Identity Logs:** Audit Microsoft Entra ID sign-in logs for "Failure" status codes related to OAuth redirections to external, non-corporate domains.
- **Endpoint Monitoring:** Watch for the creation of `.LNK` files in downloads folders that execute PowerShell or command-line scripts.
## Mitigation Strategies
- **OAuth Governance:** Restrict the ability of users to consent to apps from unverified publishers and implement "Admin Consent" workflows.
- **Conditional Access:** Enforce policies that require compliant, managed devices for authentication to sensitive applications.
- **External Redirection Controls:** Validate and restrict allowed `redirect_uris` within the identity provider settings where possible.
- **Email Security:** Use advanced threat protection to scan PDF attachments for embedded URLs and analyze the final destination of OAuth-wrapped links.
## Related Tools/Techniques
- **EvilProxy:** AitM framework used for session hijacking.
- **HTML Smuggling:** Technique used to bypass network filters by "building" the malicious file on the client side.
- **DLL Side-Loading:** A common technique to execute malicious code under the guise of a legitimate process.