Hackers Abuse OAuth Flaws for Microsoft Malware Delivery  Microsoft has warned that hackers are weaponizing OAuth error flows to redirect users from trusted Microsoft login pages to malicious sites that deliver malware. The campaigns, observed by Microsoft Defender researchers, primarily target government and public-sector organizations using phishing emails that appear to be legitimate Microsoft notifications or service messages. By abusing how OAuth 2.0 handles authorization errors and redirects, attackers are able to bypass many email and browser phishing protections that normally block suspicious URLs. This turns a standards-compliant identity feature into a powerful tool for malware distribution and account compromise.  The attack begins with threat actors registering malicious OAuth applications in a tenant they control and configuring them with redirect URIs that point to attacker infrastructure. Victims receive phishing links that invoke Microsoft Entra ID authorization endpoints, which visually resemble legitimate sign-in flows, increasing user trust. The attackers craft these URLs with parameters for silent authentication and intentionally invalid scopes, which trigger an OAuth error instead of a normal sign-in. Rather than breaking the flow, this error causes the identity provider to follow the standard and redirect the user to the attacker-controlled redirect URI.  Once redirected, victims may land on advanced phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, allowing threat actors to harvest valid session cookies and bypass multi-factor authentication. Microsoft notes that the attackers misuse the OAuth “state” parameter to automatically pre-fill the victim’s email address on the phishing page, making it look more authentic and reducing friction for the user. In other cases, the redirect leads to a “/download” path that automatically serves a ZIP archive containing malicious shortcut (LNK) files and HTML smuggling components. These variations show how the same redirection trick can support both credential theft and direct malware delivery.  If a victim opens the malicious LNK file, it launches PowerShell to perform reconnaissance on the compromised host and stage the next phase of the attack. The script extracts components needed for DLL side-loading, where a legitimate executable is abused to load a malicious library. In this campaign, a rogue DLL named crashhandler.dll decrypts and loads the final payload crashlog.dat directly into memory, while a benign-looking binary (stream_monitor.exe) displays a decoy application to distract the user. This technique helps attackers evade traditional antivirus tools and maintain stealthy, in-memory persistence.  Microsoft stresses that these are identity-based threats that exploit intended behaviors in the OAuth specification rather than exploiting a software vulnerability. The company recommends tightening permissions for OAuth applications, enforcing strong identity protections and Conditional Access policies, and applying cross-domain detection that correlates email, identity, and endpoint signals. Organizations should also closely monitor application registrations and unusual OAuth consent flows to spot malicious apps early. As this abuse of standards-compliant error handling is now active in real-world campaigns, defenders must treat OAuth flows themselves as a critical attack surface, not just a background authentication detail.

Hackers Abuse OAuth Flaws for Microsoft Malware Delivery #Microsoft #OAuth #Phishingemail

🎣 Ever felt like your inbox is a fishing pond full of suspicious bait? Here’s how to spot those slippery phishing emails trying to reel you in.

Are you ready to explore more? Check out the link shared below.

blog.swha.online/how-do-you-i...

#SWHA #PhishingEmail

Phishing emails: a guide on what to look for Interfuture Security breaks down all the potentially malicious elements in phishing emails - as one of the most common types of cyber crime, you're going to ...

We return to the topic of phishing with a detailed guide of what to look out for in suspicious emails: remember to think before you click! zurl.co/pRPBK

#cybersecurity #itsecurityoperations #itsecurity #socservices #phishing #phishingemail #guide

Recently, AhnLab SEcurity intelligence Center (ASEC) has identified cases of the ModiLoader (DBatLoader) malware being distributed via email. ModiLoader ultimately executes SnakeKeylogger. SnakeKeylogger is an Infostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP, SMTP, or Telegram. Figure 1 shows the email being distributed. The email is written in Turkish and is being distributed by impersonating a Turkish bank. Users are prompted to open the malicious attachment to check their transaction history. The compressed file contains the BAT malware shown in Figure 2. Figure 1. Email body Figure 2. Inside the rar compressed file (bat file) Figure 3 shows the BAT code creating and executing the DBatLoader malware (x.exe) encoded in Base64 in the %temp% directory. Figure 4 is the image of the created DBatLoader malware (x.exe). Figure 3. Main part of the bat script (creating and executing x.exe) Figure 4. x.exe (DBatLoader) created in the Temp directory Figures 5 and 6 show the obfuscated and decrypted forms of three bat scripts (5696.cmd, 8641.cmd, neo.cmd) executed by DBatLoader (x.exe). DBatLoader uses these bat scripts and files such as svchost.pif, netutils.dll, and wxiygomE.pif to achieve its attack goals of evading detection and executing keyloggers. Figure 5. DBatLoader executing the obfuscated bat script Figure 6. DBatLoader decrypting the bat script # # Attack Process ## 1. Evasion of Detection Figure 7 is the 8641.cmd script of the bat script. The Esentutl command is used to copy cmd.exe as alpha.pif. The mkdir command is then used to create a folder (Windows \SysWow64) including a space in its name to disguise it as a legitimate path. Figure 7. Functions of 8641.cmd DBatLoader (x.exe) creates a program with the disguised name svchost.pif in the Windows \SysWow64 directory. As shown in Figure 8, this program has the same name as the legitimate process easinvoker.exe, and an malicious netutils.dll is created in the same directory to perform DLL side-loading. As a result, the legitimate easinvoker.exe process exhibits malicious behavior. Figure 9 shows the decrypted 5696.cmd script. The script executes svchost.pif to load the malicious netutils.dll as a side-loaded DLL. It then uses the ping command to introduce a 10-second delay before deleting the malicious netutils.dll file. Figure 10 shows the functions of the malicious netutils.dll, which involves decoding encoded commands to execute a command that runs the neo.cmd file. Figure 8. Legitimate program (easinvoker.exe) with the file name disguised as svchost.pif Figure 9. Functions of 5696.cmd Figure 10. Functions of manipulated netutils.dll (executing neo.cmd) [Figure 11] shows the contents of the neo.cmd script, which uses the extrac32 command to copy powershell.exe under the name xkn.pif. Through a command executed on xkn.pif (powershell.exe), subdirectories under “C:” are added to Windows Defender’s exclusion paths, achieving the goal of bypassing detection. Figure 11. Functions of neo.cmd ## 2. Information Theft (SnakeKeyLogger) Figure 12 shows the process tree of behaviors executed from DBatLoader (x.exe). After achieving detection evasion, a file named wxiygomE.pif is created. The program is a module (loader.exe) of the legitimate mercurymail program, shown in Figure 13. Afterward, the legitimate process with a disguised name (wxiygomE.pif) is executed, and SnakeKeylogger is injected. Figure 12. Process tree of DbatLoader (x.exe) Figure 13. Normal program with a disguised file name (loader.exe) Figure 14 is the list of functions corresponding to the functions of SnakeKeylogger injected into the legitimate process (wxiygomE.pif). These include malicious functions such as exfiltrating keylogging data such as system information, keyboard inputs, and clipboard data. Figure 14. Function list of SnakeKeylogger Figure 15 corresponds to the threat actor’s configuration value in SnakeKeylogger. The configured Telegram bot token is used to transmit the exfiltrated information to the Telegram C2. Figure 15. Threat actor’s configuration for SnakeKeylogger # Conclusion The DbatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies. As it is difficult to detect the infection when targeting individuals, individual users need to be cautious and maintain a strong sense of security by being careful about initial access techniques such as executing script extensions from phishing emails and keeping their security products up-to-date to prevent such attacks. MD5 7fa27c24b89cdfb47350ecfd70e30e93 a0a35155c0daf2199215666b00b9609c URL https[:]//api[.]telegram[.]org/bot8135369946[:]AAEGf2H0ErFZIOLbSXn5AVeBr_xgB-x1Qmk/sendDocument?chat_id=7009913093 #### Tags: DBatLoader 피싱메일 PhishingEmail SnakeKeylogger

DBatLoader (ModiLoader) Being Distributed to Turkish Users Recently, AhnLab SEcurity intelligence...

https://asec.ahnlab.com/en/88025/

#Malware #Public #DBatLoader #피싱메일 #PhishingEmail #SnakeKeylogger

Result Details

New KoiLoader Malware Variant Uses LNK Files and PowerShell to Steal Data   Cybersecurity experts have uncovered a new version of KoiLoader, a malicious software used to deploy harmful programs and steal sensitive data. The latest version, identified by eSentire’s Threat Response Unit (TRU), is designed to bypass security measures and infect systems without detection. How the Attack Begins The infection starts with a phishing email carrying a ZIP file named `chase_statement_march.zip`. Inside the ZIP folder, there is a shortcut file (.lnk) that appears to be a harmless document. However, when opened, it secretly executes a command that downloads more harmful files onto the system. This trick exploits a known weakness in Windows, allowing the command to remain hidden when viewed in file properties. The Role of PowerShell and Scripts Once the user opens the fake document, it triggers a hidden PowerShell command, which downloads two JScript files named `g1siy9wuiiyxnk.js` and `i7z1x5npc.js`. These scripts work in the background to: - Set up scheduled tasks to run automatically. - Make the malware seem like a system-trusted process. - Download additional harmful files from hacked websites. The second script, `i7z1x5npc.js`, plays a crucial role in keeping the malware active on the system. It collects system information, creates a unique file path for persistence, and downloads PowerShell scripts from compromised websites. These scripts disable security features and load KoiLoader into memory without leaving traces. How KoiLoader Avoids Detection KoiLoader uses various techniques to stay hidden and avoid security tools. It first checks the system’s language settings and stops running if it detects Russian, Belarusian, or Kazakh. It also searches for signs that it is being analyzed, such as virtual machines, sandbox environments, or security research tools. If it detects these, it halts execution to avoid exposure. To remain on the system, KoiLoader: • Exploits a Windows feature to bypass security checks. • Creates scheduled tasks that keep it running. • Uses a unique identifier based on the computer’s hardware to prevent multiple infections on the same device. Once KoiLoader is fully installed, it downloads and executes another script that installs KoiStealer. This malware is designed to steal: 1. Saved passwords 2. System credentials 3. Browser session cookies 4. Other sensitive data stored in applications Command and Control Communication KoiLoader connects to a remote server to receive instructions. It sends encrypted system information and waits for commands. The attacker can: • Run remote commands on the infected system. • Inject malicious programs into trusted processes. • Shut down or restart the system. • Load additional malware. This latest KoiLoader variant showcases sophisticated attack techniques, combining phishing, hidden scripts, and advanced evasion methods. Users should be cautious of unexpected email attachments and keep their security software updated to prevent infection.

New KoiLoader Malware Variant Uses LNK Files and PowerShell to Steal Data #CyberSecurity #Data #Phishingemail

💻 HEADS UP – Not an April Fool’s Day Joke!
Just posted a warning alert on the website 🚨 Be careful—JUNK/SCAM/SPAM emails are circulating from fake Facebook accounts.

Stay cautious out there!

#WebChick #ScamAlert #PhishingEmail #FakeFacebook #CyberSafety #WebsiteUpdate #StaySafeOnline

🚨December Update from @ScamAware101🚨

Recent online scams: Amazon Scam, Wrong Number Scam, Fake Order Scam, Brushing Scam / QR Code Scams

Watch video: youtu.be/fN1VNrJB9mg

#Scammer #Phishing #Smishing #OnlineSafety #AmazonScam #PhishingEmail #HappyNewYear #HappyNewYear2025 #ScamAware101

This video shares an example of a fake Microsoft Sign-In email scam (phishing email) sent by scammers. Full video on our YouTube channel.

#Phishing #PhishingEmail #PhishingScam #InternetSafetyTips #OnlineSafety #OnlineSafetyAwareness #StaySafeOnline #InfoSec #InformationSecurity #ScamAware101

TIP: How to Detecting and Handle Phishing Email Campaigns » If you receive an email that seems to be from someone instructing you to spend your own money on something. In that case, it's probably a phishing email.

TIP: How to Detecting and Handle #PhishingEmail Campaigns »

ScamAware101 is the FIRST to publish real examples of this NEW phishing email campaign. Fake emails impersonate FedEx and UPS with offer to "Get Your Compensation Now". youtu.be/7GYG8drjvnY

#Phishing #PhishingEmail #Scammers #CyberSecurity #OnlineSafety #InfoSec #InformationSecurity #ScamAware101

This video shares an example of a fake Google Hangouts email scam (phishing email) sent by scammers to steal your personal information. Watch the full video on our YouTube channel. #Phishing #PhishingEmail #ScamPrevention #CyberSecurity #InternetSafety #OnlineSafety #StaySafeOnline #ScamAware101

This video shares an example of a fake Netflix email scam (phishing email) sent by scammers to steal your personal information. Full video on our YouTube channel.

#Phishing #PhishingEmail #PhishingScam #ScamAwareness #ScamPrevention #CyberSecurity #CyberSecurityAwareness #ScamAware101

Phishing email from an intern's boss is a $600 scam Emails can mimic names, photos, fonts and patterns of speech

Phishing email from an intern’s boss is a $600 scam
pirg.org/edfund/artic...

#Tech #Technology #Security #Email #Phishing #Scams #Data #Fraud #PhishingEmail

Why would you go through all the trouble to put this together and still get so many details blatantly, obviously wrong? I mean… WHAT?!

#phishingScams #phishingEmail #notReal #warning 🚨