Microsoft Warns of Sophisticated Phishing Campaigns Exploiting OAuth and Fake Compliance Emails
Microsoft has issued multiple warnings regarding phishing campaigns that use OAuth URL redirection and fake compliance-themed emails to steal credentials and deliver malware. One campaign identified between April 14 and 16, 2026, targeted over 35,000 users across 13,000 organizations in 26 countries, primarily in the United States. A separate warning highlighted an ongoing technique where attackers exploit OAuth redirect features to bypass phishing defenses.
Attack Methods
OAuth URL Redirection Technique
Microsoft warned of phishing campaigns that exploit OAuth URL redirection mechanisms to circumvent standard phishing defenses. These campaigns primarily target government and public-sector organizations. The attacks leverage standard OAuth behavior rather than exploiting software vulnerabilities or stealing credentials directly.
Attackers craft URLs using popular identity providers, such as Entra ID or Google Workspace, with manipulated parameters or associated malicious applications. This redirects users to attacker-controlled landing pages, creating URLs that appear legitimate but lead to malicious destinations.
The attack flow begins when a threat actor creates a malicious application within their controlled tenant, configured with a redirect URL pointing to a rogue domain hosting malware. An OAuth phishing link is distributed instructing recipients to authenticate using an intentionally invalid scope. The redirection results in users inadvertently downloading malware.
Malware Delivery via ZIP Archives
Malicious payloads are distributed within ZIP archives. When unpacked, the archive contains a Windows shortcut (LNK) that executes a PowerShell command, performing host reconnaissance. The LNK file extracts an MSI installer that drops a decoy document. A malicious DLL named "crashhandler.dll" is sideloaded using the legitimate "steam_monitor.exe" binary. The DLL decrypts and executes another file, "crashlog.dat," in memory, establishing an outbound connection to a command-and-control (C2) server. This process may include steps that could lead to ransomware deployment.
Fake Compliance Email Campaign
Between April 14 and 16, 2026, a separate phishing campaign impersonated HR and compliance communications targeting over 35,000 users across 13,000 organizations in 26 countries. The campaign used subject lines such as "Internal case log issued under conduct policy" and "Reminder: employer opened a non-compliance case log." Display names like "Internal Regulatory COC" and "Workforce Communications" were used. Emails included a notice stating the message was issued through an authorized internal channel and a green banner falsely indicating encryption via Paubox.
The campaign targeted organizations in the healthcare, financial services, professional services, and technology sectors. Attackers used email templates mimicking internal corporate communications.
Attack Chain
Phishing Email to Credential Harvesting
Recipients who opened an attached PDF were directed to click a "Review Case Materials" link. This link initiated a redirect chain:
- A Cloudflare CAPTCHA page
- A page stating account authentication was required to access encrypted documents
- After clicking "Review & Sign," users entered their email address and completed a second CAPTCHA
- A "Sign in with Microsoft" button with a five-minute expiration
- An adversary-in-the-middle (AiTM) session that proxied credentials and authentication factors to the real sign-in page, allowing attackers to intercept session tokens
CAPTCHAs were used to prevent automated analysis. The campaign varied its final destination based on whether the victim used a mobile device or desktop.
Lures and Distribution
Phishing emails employed various lures, including e-signature requests, Teams recordings, and themes related to social security, finance, and politics. The emails were sent using mass-sending tools and custom solutions developed in Python and Node.js. Links were embedded directly in the email body or within PDF documents. Attackers passed the target email address through the state parameter using encoding techniques, allowing it to be automatically pre-populated on the phishing page.
Broader Context
Phishing Activity Trends
Microsoft reports an increase in phishing activity, including QR code-based attacks and CAPTCHA-gated phishing flows.
Microsoft Email System Abuse
The Spamhaus Project, an anti-spam non-profit, reported that scammers have been exploiting a loophole in Microsoft's account notification system to send spam from the legitimate internal email address msonlineservicesteam@microsoftonline.com. This address is typically used for sending account alerts such as two-factor authentication codes. The abuse has been ongoing for several months. Scammers set up new Microsoft accounts and used the system to send emails posing as Microsoft, with subject lines resembling fraud alerts or private message notifications containing links to scam websites. A Microsoft spokesperson acknowledged an inquiry but provided no further comment.
Mitigation Recommendations
Microsoft recommends the following measures for organizations:
- Limit user consent for applications
- Regularly review application permissions
- Remove unused or overprivileged applications
- Deploy multi-factor authentication methods such as FIDO security keys or Windows Hello
- Enable Safe Links and Safe Attachments in Microsoft Defender for Office 365
- Enable Zero-hour auto purge to retroactively remove malicious messages
- Conduct phishing simulation training for employees
Microsoft has removed several malicious OAuth applications identified during its investigation.