Microsoft warns of a sophisticated phishing campaign that uses the OAuth feature to deliver malware to government and public sector organizations. Unlike classic attacks that steal passwords, this latest tactic uses official login pages as an entry point to distribute malicious files.
According to Microsoft's official report, the hacker group abused a legitimate redirect function in the OAuth system. OAuth itself is an authorization protocol that allows users to log into a service using a trusted account without having to share credentials directly with third-party applications. By design, this system is secure. However, in this campaign, the loophole is not from a bug, but from the way the feature is manipulated.
The perpetrators sent emails that were designed to be very convincing. Some disguised themselves as recordings of Microsoft Teams meetings, others claimed to be urgent Microsoft 365 password reset notifications. Inside the email there is a link with modified OAuth parameters.
When the victim clicks the link, they are directed to the official Microsoft login page. There is no suspicious display. However, the authentication process is deliberately triggered to produce an error. This is the error that activates the redirect feature, so that users are seamlessly redirected to the hacker-controlled site.
At this point, the attack takes a different shape. Victims are not asked to re-enter their passwords. Instead, they are directed to a phishing-as-a-service platform that provides malicious download files.
In one of the cases revealed, the victim downloaded a ZIP archive containing a shortcut file and a smuggling HTML component. When opened, the file executes a hidden PowerShell command that calls a legitimate executable, then loads a malicious DLL through a side-loading technique. The end result is an outbound connection to the attacker's command and control server.
Microsoft confirmed that the OAuth login page was not hacked and there was no credential theft on the official screen. The system works according to its design. However, the redirect feature, which is intended to redirect users back to the application after logging in, is actually used as a distribution channel for malware.
This attack reflects the evolution of phishing techniques. If in the past the focus was on tricking users into handing over passwords, now the approach is more subtle: exploiting trust in official login pages to create a sense of security before trapping victims with malicious downloads.
The technology company urged organizations to strengthen email filtering systems, review application redirect configurations, and increase staff education on advanced phishing tactics. The scale of this campaign is not yet known for sure, but the pattern of attacks shows a level of mature planning.
In an era where single sign-on and centralized authentication are the backbone of digital productivity, every convenience feature can turn into a manipulation tool if it is not closely monitored. The cyber world moves fast, and threat actors seem to be getting more creative in exploiting what is already legitimate into something dangerous.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
