Back to Intelligence

Defending Against TA416: Detect PlugX and OAuth Phishing Attacks

SA
Security Arsenal Team
April 3, 2026
6 min read

Defending Against TA416: Detect PlugX and OAuth Phishing Attacks

Introduction

Security teams must remain vigilant against the resurgence of TA416, a China-aligned threat actor actively targeting European government and diplomatic entities. Since mid-2025, this group—also tracked as RedDelta, Volt Typhoon, and others—has shifted focus back to European targets, utilizing a sophisticated blend of malware and social engineering.

For defenders, the critical takeaway is the evolution of TA416's tactics: they are combining the established PlugX remote access Trojan with OAuth-based phishing. This combination allows them to bypass traditional authentication controls by manipulating user trust and legitimate cloud protocols. Understanding how to detect these behaviors on the endpoint and in the cloud is essential for preventing data exfiltration and long-term persistence.

Technical Analysis

The Threat Actor: TA416 is a state-sponsored cluster known for espionage. Historically focused on diplomatic missions, their recent campaign highlights a renewed interest in European geopolitical entities.

Attack Vector 1: PlugX Malware: PlugX (or Korgu) is a modular Remote Access Trojan (RAT) designed for stealthy persistence and data theft. In this campaign, TA416 delivers PlugX via malicious attachments in phishing emails. Once executed, PlugX typically loads via DLL side-loading or creates a Windows service to maintain persistence. It provides the attacker with remote shell capabilities, keylogging, and the ability to install additional payloads.

Attack Vector 2: OAuth-Based Social Engineering: TA416 is abusing the Open Authorization (OAuth) 2.0 framework. Instead of stealing passwords, attackers trick users into granting a malicious application permission to access their email or cloud files. This "consent phishing" often leverages typosquatting—mimicking legitimate software vendors—to deceive users. Because the user authenticates legitimately, Multi-Factor Authentication (MFA) is bypassed, and the attacker gains access via a valid token rather than a compromised credential.

Affected Systems:

  • Endpoint: Windows systems compromised via malicious documents or executables.
  • Cloud: Microsoft 365 / Entra ID environments where OAuth consent grants are misconfigured.

Defensive Monitoring

To detect TA416 activity, security teams must monitor endpoint telemetry for signs of PlugX execution and audit cloud logs for suspicious OAuth grants.

SIGMA Rules

These rules detect common TA416 behaviors, including PlugX persistence mechanisms and suspicious OAuth-related process chains.

YAML
---
title: Potential PlugX Service Installation
id: 8f4a3b21-6c5d-4e9f-8a1b-2c3d4e5f6789
status: experimental
description: Detects the creation of a new service by PowerShell or cmd.exe, a technique often used by PlugX for persistence using arbitrary binary paths.
references:
  - https://attack.mitre.org/techniques/T1543/003/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.persistence
  - attack.t1543.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'New-Service'
      - 'sc create'
      - 'Create-Service'
  filter:
    ParentImage|contains:
      - '\System32\'
      - '\SysWOW64\'
falsepositives:
  - Legitimate administrative software installation
level: high
---
title: Suspicious PlugX Registry Persistence
id: 9a5b4c32-d7e6-5f0a-9b2c-3d4e5f6a7890
status: experimental
description: Detects registry modifications in Run keys that point to suspicious locations or DLLs, characteristic of PlugX persistence mechanisms.
references:
  - https://attack.mitre.org/techniques/T1547/001/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: registry_add
  product: windows
detection:
  selection:
    TargetObject|contains:
      - '\Software\Microsoft\Windows\CurrentVersion\Run'
      - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
    Details|contains:
      - '.dll'
      - 'AppData'
falsepositives:
  - Legitimate software updates installed in user directories
level: medium
---
title: Browser Spawning Shell via OAuth Phishing
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
status: experimental
description: Detects web browsers spawning command shells or PowerShell, often observed after a user clicks a malicious link in an OAuth phishing campaign leading to a download.
references:
  - https://attack.mitre.org/techniques/T1059/003/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
falsepositives:
  - Legitimate "Open in Terminal" features or web-based SSO launchers
level: medium

KQL Queries (Microsoft Sentinel / Defender)

Use these queries to hunt for signs of the OAuth attacks and PlugX activity within your environment.

Detect OAuth Consent Grants (Phishing Indicator):

KQL — Microsoft Sentinel / Defender
AuditLogs
| where OperationName == "Add OAuth2PermissionGrant" or OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].DisplayName)
| extend Permissions = tostring(TargetResources[0].PermissionDetails)
| project TimeGenerated, OperationName, InitiatedBy, AppName, Permissions
| where Permissions contains "Mail.Read" or Permissions contains "Files.Read"


**Detect PlugX Process Anomalies:**
DeviceProcessEvents  
| where Timestamp > ago(7d)
| where FileName in~ ("rundll32.exe", "regsvr32.exe")
| where ProcessCommandLine has ".dll" and ProcessCommandLine has "-s"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName

Velociraptor VQL (Hunt Queries)

Deploy these Velociraptor hunts to scan endpoints for PlugX artifacts and suspicious persistence mechanisms.

Hunt for Suspicious Service Executables:

VQL — Velociraptor
-- Hunt for services pointing to non-standard paths (User profiles or temp)
SELECT Name, DisplayName, ImagePath, State
FROM services()
WHERE ImagePath =~ 'AppData'
   OR ImagePath =~ '\\Temp\\'
   OR ImagePath =~ 'Users\\'


**Hunt for PlugX Registry Persistence:**
-- Scan registry Run keys for suspicious DLL execution
SELECT Key.Path, Data.value AS Value, Key.ModTime
FROM glob(globs='C:\Users\*\NTUSER.DAT')
-- Parse registry hive to find Run keys (simplified glob approach)
-- In production, use the registry() plugin directly
WHERE Key.Path =~ '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'
  AND Value =~ '.dll'

PowerShell Remediation Script

This script helps identify OAuth apps with high-risk permissions that may have been granted illicitly.

PowerShell
# Connect to Microsoft Graph (required modules: Microsoft.Graph)
Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All"

# Get all Service Principals with dangerous permissions
$Apps = Get-MgServicePrincipal -All

$RiskyApps = foreach ($App in $Apps) {
    $Permissions = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $App.Id
    if ($Permissions) {
        [PSCustomObject]@{
            AppName = $App.DisplayName
            AppId = $App.AppId
            PermissionCount = $Permissions.Count
            GrantedTo = ($Permissions | Select-Object -ExpandProperty PrincipalDisplayName) -join ", "
        }
    }
}

# Display apps with permissions
$RiskyApps | Format-Table -AutoSize

Remediation

To protect your organization from TA416 and similar threats, implement the following defensive measures immediately:

  1. Restrict OAuth Consent:

    • Enforce Admin Consent Only for all applications in your Entra ID tenant.
    • Configure App Consent Policies to restrict which permissions users can grant, specifically blocking RoleManagement.ReadWrite.Directory or User.ReadBasic.All for non-admins.

  2. Block Legacy Authentication:

    • Disable legacy authentication protocols (IMAP, POP3, SMTP) for Exchange Online. These protocols often lack MFA support and are easy targets for initial access.

  3. Implement Application Filtering:

    • Configure "Publishers" verification in Conditional Access to only allow apps from verified publishers.
    • Block user registration of applications if not business-critical.

  4. Patch and Endpoint Hardening:

    • Ensure all endpoints are running the latest OS versions to mitigate vulnerability exploits used in initial access.
    • Block execution of binaries from C:\Windows\Temp and AppData directories via AppLocker or WDAC.

  5. User Awareness:

    • Train users to recognize "consent" screens. If a user is suddenly asked to grant permission to an "Excel Editor" or "PDF Viewer" to access their email or contacts, they should report it immediately.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitta416plugxoauthapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action