They Didn't Steal Your Password. They Used the Login Page Against You.

This report summarizes Microsoft Defender research describing an active phishing campaign that weaponizes OAuth’s by-design error redirects (using manipulated parameters like prompt=none and invalid scopes) to move victims from legitimate Microsoft/Google auth endpoints to attacker-controlled pages; outcomes include EvilProxy-mediated credential and session cookie capture (MFA bypass) or automatic malware delivery that culminates in DLL sideloading via steam_monitor.exe/crashhandler.dll and subsequent hands-on-keyboard activity. Defenses recommended include restricting app registration, auditing OAuth apps, hunting for OAuth authorization URL patterns and error indicators, deploying image-load and DLL-sideloading detections, enforcing Continuous Access Evaluation and device-bound tokens, and adopting phishing-resistant FIDO2 passkeys for high-value accounts.