Crims hope for payday from malicious payloads rather than stealing access tokens

Microsoft has warned organizations about ongoing OAuth abuse scams that use phishing emails and URL redirects to infect victims' machines with malware and take over their devices.

The phishing expedition targets government and public-sector organizations, according to a Monday report from Redmond's security researchers. And while Microsoft Entra disabled the malicious OAuth applications, Microsoft’s infosec squad warned "related OAuth activity persists and requires ongoing monitoring.”

Microsoft declined to answer The Register's inquiries, including questions about the size and scope of these campaigns.

OAuth, which stands for Open Authorization, is a commonly used standard for online authorization using third-party credentials. If a website offers the chance to sign in with a Google, Facebook, or Apple account, it’s probably using OAuth, and relies on the standard’s use of access tokens to make it happen.

OAuth has a legitimate feature that allows identity providers to redirect users to ...