China's TA416 Is Back in Europe After Two Years. They Brought New Tricks.

John Z Black Apr 6, 2026 Threat Intelligence #China #TA416 #PlugX #OAuth #phishing #espionage #EU #APT

Two years of silence. Then, mid-2025, the phishing emails started landing again.

TA416, a China-aligned espionage group, went quiet on European operations around 2023. Now they’re back, targeting diplomatic missions to the EU and NATO across multiple European countries. They’ve also expanded into the Middle East since March 2026, collecting intelligence on the US-Israel-Iran situation.

The OAuth Redirect Trick

The cleverest evolution: instead of sending victims to a malicious domain, phishing emails now link to Microsoft’s legitimate OAuth authorization endpoint. URL reputation tools see a microsoft.com link and wave it through. The redirect happens server-side, and by the time the victim’s browser lands on the attacker-controlled domain, the initial filter already made its call.

This isn’t a Microsoft vulnerability. It’s an abuse of how authorization redirects work, and it’s becoming widespread enough that Microsoft warned about it last month.

Layered Evasion

TA416 doesn’t rely on one trick. They deploy tracking pixels to confirm targets opened the email before delivering anything. Cloudflare Turnstile challenges filter out automated sandboxes. Payloads rotate across Azure Blob Storage, Google Drive, and compromised SharePoint instances. The endpoint payload is still PlugX, delivered through DLL side-loading. It’s old, but when you wrap it in a modern delivery chain, it still works.

What to Watch For

If you have diplomatic, government, or policy exposure to the EU or Middle East, review OAuth app registrations in your Entra ID tenant. Monitor for unexpected redirect URI configurations. Treat emails with embedded images or remote content as potential reconnaissance, even without obvious malicious links.

Get the full infection chain details and TA416’s targeting patterns