OAuth URL redirection phishing campaign targeting government and public-sector organizations
Campaign
Summary
Hide ▲
Show ▼
The OAuth URL redirection phishing campaign is targeting government and public-sector organizations, using attacker-controlled redirects to bypass normal email and browser defenses. The operation matters because the links can appear legitimate while steering victims to malicious landing pages. Some branches deliver ZIP archives that trigger PowerShell, DLL side-loading, and outbound C2 activity, while others lead to EvilProxy pages that can capture credentials and session cookies. Several malicious OAuth applications tied to the operation have already been removed.
Related Happenings
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
Campaign
First: 20.04.2026 18:01
Last: 20.04.2026 18:01
Sources 1
About this happening:
The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
CampaignAbout this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Turkey-focused low-dollar ransomware campaign using phishing and modified commercial malware
Campaign
First: 16.04.2026 09:00
Last: 16.04.2026 09:00
Sources 1
About this happening:
A **Turkey-focused ransomware campaign** has been hitting **individuals and SMBs** with **low-dollar extortion** at scale, making the operation significant despite the modest rans...
Turkey-focused low-dollar ransomware campaign using phishing and modified commercial malware
CampaignAbout this happening: A **Turkey-focused ransomware campaign** has been hitting **individuals and SMBs** with **low-dollar extortion** at scale, making the operation significant despite the modest rans...
Fake Claude PlugX phishing campaign
Campaign
First: 13.04.2026 12:52
Last: 13.04.2026 12:52
Sources 1
About this happening:
A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Fake Claude PlugX phishing campaign
CampaignAbout this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Latest development: 07.05.2026 13:02
A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
03.03.2026 11:20 2 articles · 2mo ago
Microsoft warns of OAuth redirect phishing against government organizations
Initial DisclosureMicrosoft warned that phishing campaigns are abusing OAuth URL redirection and phishing emails to target government and public-sector organizations while bypassing conventional defenses in email and browsers. The campaigns use malicious OAuth apps, manipulated parameters, intentionally invalid scope links, and lure themes such as e-signature requests, Teams recordings, social security, financial, and political content; some branches deliver ZIP archives that trigger PowerShell execution, DLL side-loading, pre-ransom or hands-on-keyboard activity, while others lead to EvilProxy pages that intercept credentials and session cookies. Microsoft said it removed several malicious OAuth applications and advised limiting user consent, reviewing application permissions, and removing unused or overprivileged apps.
Show sources
- Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets — thehackernews.com — 03.03.2026 11:20
- Microsoft: Hackers abuse OAuth error flows to spread malware — www.bleepingcomputer.com — 03.03.2026 22:59