{ "Event": { "analysis": "1", "date": "2026-03-02", "extends_uuid": "", "info": "[Threat Intel] OAuth redirection abuse enables phishing and malware delivery", "protected": false, "publish_timestamp": "1772807253", "published": true, "threat_level_id": "3", "timestamp": "1772807253", "uuid": "cc0b81a4-b876-492e-b09b-2255db997233", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772593216", "to_ids": false, "type": "link", "uuid": "220849cc-11f1-4a8a-9634-77b27fd76411", "value": "https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772593216", "to_ids": false, "type": "text", "uuid": "8b778307-d6f2-4ccf-a73d-8ecdd5264ed2", "value": "Microsoft has discovered phishing campaigns exploiting OAuth's redirection mechanisms to bypass conventional defenses. Attackers create malicious applications with redirect URIs pointing to malicious domains, then distribute phishing links prompting targets to authenticate. The attack abuses OAuth's error handling to redirect users from trusted providers to attacker-controlled sites for phishing or malware delivery. Campaigns targeted government and public sectors using e-signature, financial, and political lures. Some attacks led to malware downloads and endpoint compromise via PowerShell and DLL side-loading. Mitigation involves governing OAuth apps, limiting user consent, reviewing permissions, and implementing cross-domain detection across email, identity, and endpoint." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772593216", "to_ids": false, "type": "text", "uuid": "854ef847-ad3c-4bbe-9c01-f0d46647d0f2", "value": "Name: OAuth redirection abuse enables phishing and malware delivery\nAuthor: AlienVault\nAdversary: \nTags: [\"oauth\", \"phishing\", \"public sector\", \"evilproxy\", \"endpoint\"]\nTgtd countries: []\nMlwr families: [\"EvilProxy\"]\nAttack_ids: [\"T1102\", \"T1204\", \"T1059.001\", \"T1566\", \"T1027\", \"T1056\", \"T1574.002\"]\nIndustries: [\"Government\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766947", "to_ids": true, "type": "domain", "uuid": "03f6dd9b-d8a2-4426-a1aa-1aeff828dce0", "value": "abv-abc3.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766968", "to_ids": true, "type": "domain", "uuid": "388d1347-5461-453f-aac1-ea3f8d4f9af9", "value": "calltask.im", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766990", "to_ids": true, "type": "domain", "uuid": "c7b5fef4-96e3-4d92-a0ea-8f7700bab208", "value": "ouviraparelhosauditivos.com.br", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767011", "to_ids": true, "type": "hostname", "uuid": "b4a6dbf8-23aa-4a47-83bd-a91da4a16668", "value": "weds101.siriusmarine-sg.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767032", "to_ids": true, "type": "url", "uuid": "44e96a57-752f-41b6-b30e-4d21a5f81c0f", "value": "https://dynamic-entry.powerappsportals.com/dynamics/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767054", "to_ids": true, "type": "url", "uuid": "ae0b22bb-0c8b-4ae5-9413-ef18ff870057", "value": "https://login-web-auth.github.io/red-auth/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767075", "to_ids": true, "type": "url", "uuid": "6b8fe43b-4a25-4e3a-9c67-6d8ae82627d4", "value": "https://westsecure.powerappsportals.com/security/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767096", "to_ids": true, "type": "url", "uuid": "f6a8a7dc-6997-4d38-a2c6-11106dd2e9f2", "value": "https://gbm234.powerappsportals.com/auth/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767118", "to_ids": true, "type": "url", "uuid": "4f249f7d-fe44-48b6-bd7d-d06db6d8fb9d", "value": "https://email-services.powerappsportals.com/divisor/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767139", "to_ids": true, "type": "url", "uuid": "4cdb4596-a7b5-4b58-9b06-a13031b98b82", "value": "https://memointernals.powerappsportals.com/auth/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767160", "to_ids": true, "type": "url", "uuid": "a449a42f-af8b-400f-b879-03b22e566bbd", "value": "https://calltask.im/cpcounting/via-secureplatform/quick/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767182", "to_ids": true, "type": "url", "uuid": "d7626d19-f1df-4d72-9f70-c90f2da91bcd", "value": "https://ouviraparelhosauditivos.com.br/auth/entry.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767203", "to_ids": true, "type": "url", "uuid": "aecd5ab4-2944-4d4f-afa6-0a08926af775", "value": "https://abv-abc3.top/abv2/css/red.html", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767224", "to_ids": true, "type": "url", "uuid": "e0f4a508-ad61-483d-9554-9e4dfbe774b2", "value": "https://weds101.siriusmarine-sg.com/minerwebmailsecure101/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767245", "to_ids": true, "type": "url", "uuid": "a55e31ce-403d-482f-b20b-8ff0cbf87b8d", "value": "https://mweb-ssm.surge.sh", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767266", "to_ids": true, "type": "url", "uuid": "b157f3db-dfd0-497e-bf35-aef78a9acb22", "value": "https://ssmapp.github.io/web", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772767288", "to_ids": true, "type": "url", "uuid": "863300e9-dcbb-436a-9a76-ac4868b9816f", "value": "https://ssmview-group.gitlab.io/ssmview", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }