An ongoing phishing campaign is abusing the OAuth authentication redirection mechanism to avoid triggering conventional email and browser defenses, Microsoft researchers have revealed.
The attackers are targeting government and public-sector organizations, and redirecting unsuspecting users from trusted login pages to their own infrastructure, to serve malware or capture login credentials.
The attack, from the victim’s perspective
The OAuth authentication redirection mechanism is a trusted login feature used by Microsoft, Google and others. It allows users to sign in via a central identity provider and then be automatically redirected back to an approved application.
In this campaign, though, the attackers manipulated that redirect flow so victims were sent from a legitimate authentication page to malicious sites hosting phishing kits or malware.
The attack starts with a legitimate-looking email, containing a link that appears to point to a legitimate Microsoft or Google login page or a PDF attachment that contains such a link.
After clicking, the victim briefly lands on a genuine OAuth sign-in page hosted on a trusted domain. The URL looks authentic, and the page design matches what they see every day. Within moments, however, the browser redirects the user again, to an attacker-controlled site.
Depending on the campaign variant, the victim may see a convincing but fake login page designed to capture credentials or session tokens, or a page that automatically downloads a ZIP archive or shortcut file disguised as the promised document / recording / report.
ZIP to malicious payload (Source: Microsoft)
OAuth abused
In this campaign, attackers exploit weaknesses OAuth’s redirection logic by crafting OAuth authorization requests with deliberately invalid parameters (e.g., an impossible scope or a “silent authentication” prompt that can’t succeed).
Parameters used by the attackers (Source: Microsoft)
When the identity provider (e.g., Microsoft Entra ID) tries to process such a request, it triggers a standard error-handling redirect back to a “registered” redirect URI that the attackers control.
“By design, OAuth flows may redirect users following certain error conditions. Attackers exploit this behavior to silently probe authorization endpoints and infer the presence of active sessions or authentication enforcement,” the researchers explained.
“Although user interaction is still required to click the link, the redirect path leverages trusted identity provider domains to advance the attack.”
Attackers persist despite app takedowns
The abuse of a trusted authentication redirect makes the attack blend in with legitimate business activity, reducing the likelihood that the victim realizes anything malicious has occurred.
And the email lures used by the attackers are not unusual: invitations to view a document; a recording of a Teams meeting, an invitation to see an employee report, a Microsoft 365 password validation request, an e-signature request, or a calendar invite.
Social security, financial, and political themes have also been used, according to Microsoft.
The researchers didn’t say how widespread these campaigns are but have confirmed that despite Microsoft Entra having disabled the observed OAuth applications created and leveraged by the attackers, “related OAuth activity persists and requires ongoing monitoring.”
“To reduce risk, organizations should closely govern OAuth applications by limiting user consent, regularly reviewing application permissions, and removing unused or overprivileged apps. Combined with identity protection, Conditional Access policies, and cross-domain detection across email, identity, and endpoint, these measures help prevent trusted authentication flows from being misused for phishing or malware delivery,” Microsoft researchers concluded.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
