Mimecast Logo
Get a Quote

    OAuth Abuse

    5th May 2025

    By Mimecast Threat Research Team

    Key Points

    What you'll learn in this notification

    • Campaign using OAuth applications
    • Users are redirected to malicious pages
    • Campaign Objective: possible Reconnaissance and Data Collection plus credential phishing
    • Recent campaigns predominately target Real Estate and Professional Service businesses in the US

    The Mimecast Threat Research team continue to observe emails containing URL which manipulates Microsoft OAuth parameters to redirect users to malicious pages. The campaign has generated approximately 4,500 observed instances within a two-week period, primarily targeting Real Estate and Professional Service businesses in the US. This methodical approach appears to focus on potentially gathering business intelligence as well as credential harvesting while maintaining a deceptively legitimate appearance. The technique leverages URL manipulation to exploit Microsoft's OAuth implementation. By utilizing legitimate Microsoft domains throughout the attack chain, threat actors have created a highly convincing social engineering approach that could potentially bypass traditional security controls.

    In these campaigns, targets are initially presented with lures containing URLs that leverage legitimate Microsoft authentication domains. After clicking the link and completing the standard authentication process, users are prompted with a seemingly harmless permission request that enables basic data harvesting. While open-source reports have previously noted that some malicious apps request broader access to user accounts, our research has so far observed this technique being primarily used to ask for basic user information, such as email addresses, job titles, and profile pictures. More recent campaigns have further obfuscated the attack by embedding the redirection URLs within encoded parameters, making detection by both users and security solutions significantly more difficult.

    OAuth-Abuse-1.png

    Two key conclusions can be drawn from this activity: first, threat actors may be collecting basic user details—such as full names, job titles, and profile pictures—to validate email accounts for use in subsequent attacks. Alternatively, requesting only basic permissions may be a tactic to avoid raising suspicion, with the ultimate goal of redirecting users to credential harvesting pages. Regardless of whether a user accepts or denies the permissions request, they are still redirected to the URL specified by the malicious application.

    Technical Analysis

    Typically, the URL structure we have seen in these campaigns follows the below pattern.

    https://login.microsoftonline.com/common/reprocess?ctx=rQQIARAA02I20jOwUjE3MTFJM0ky1TU0TEvSNTFONNK1SDJK1jUzMjSxMAUCC4PkIiEugcTgtV7WT-pcZpwUj7mt7ye_ilEpo6SkoNhKX78gJzEvsbQkIzknMzWvRC8lVT8lozgjJTXVZAcj4wVGxlVMbMYGBibGBreY-P0dgQqNQER-UWZV6icmjrSixPRcoL5ZzBwWRpbmRpZGhpuY2ZLzc3Pz83YxqxgYGBomJRlZ6poamBvpGlgkm-omJqda6KYam1kmG5mZmxkZmZ1iFskvSM3LTFFIzU3MzFEoKMpPy8xJvcHMeIGF8RULjwGrFQcHlwC_BLsCww8WxkWsQP8kKS969XB5t8PUG------

    /common - Refers to the shared tenant endpoint (/common/) on Microsoft's login system, meaning the request is not tied to a specific organization — any user (personal or corporate) could be targeted.

    /reprocess - Normally, Microsoft would use /reprocess for retrying or resuming a failed login or interrupted authentication flow

    CTX – This is a context object carrying information such as session, tenant, redirect URL and authentication state information that Microsoft needs during OAuth transactions. This encoding is generated by Microsoft usually when a login session is interrupted or failed.

    URL Generation

    • The threat actor registers an application in Azure AD and specifies a malicious redirect link to be used in their campaign.
    • They generate an OAuth URL, including the redirect link and parameters such as response_type, to trigger a consent prompt requesting access to the user's account when clicked. Note: other response_type options can be used which does not show consent pages and silently redirects user to the malicious page.
    • Using this URL, they attempt to log in themselves and interrupt or manipulate the session to generate a ctx string, which includes the encoded redirect URL and session details produced by Microsoft.
    • They then craft a final phishing URL, inserting the captured ctx into a /common/reprocess endpoint, which will initiate a login flow for any user across any tenant. We have observed that the ctx that is generated tends to be used across many targets.


    Mimecast Protection

    We have identified several attributes in the recent campaigns which have been added to our detection capabilities. We continue to monitor for changes in techniques used with OAuth links.

    Targets:

    Predominantly US, Real Estate, Professional Services

    Recommendations

    • Assess external application requirements
      • Conduct thorough reviews of existing third-party application consents across their organization
      • Enhanced logging for OAuth requests should be enabled to facilitate early detection of suspicious activities.
    • User security awareness training
      • Users should scrutinize Microsoft login requests which contain permission access.
      • Conduct regular phishing simulations that include Microsoft permissions scenarios
    • Proactive threat hunting
      • Search URL Protect Logs using specific filters for the reprocess?ctx= parameter, as this represents a key indicator of compromise.
    Back to Top