Phishing campaign exploits OAuth redirection to bypass defenses

Microsoft researchers warn that threat actors abuse OAuth redirects to target government users and deliver malware.

Microsoft has warned of phishing campaigns targeting government and public-sector organizations by abusing OAuth URL redirection. Instead of stealing credentials or exploiting software flaws, attackers leverage OAuth’s legitimate by-design behavior to bypass email and browser defenses. The tactic redirects victims to attacker-controlled infrastructure, making it an identity-based threat rather than a traditional exploit.

“Microsoft Defender researchers uncovered phishing campaigns that exploit legitimate OAuth protocol functionality to manipulate URL redirection and bypass conventional phishing defenses across email and browsers.” reads the advisory. “During the investigation, several malicious OAuth applications were identified and removed to mitigate the threat.”

OAuth lets identity providers redirect users to specific pages in defined flows, such as error handling. Attackers abuse this feature by crafting URLs with trusted services like Entra ID or Google Workspace, manipulating parameters or rogue apps to send users to attacker-controlled pages. The links look legitimate but lead to malicious sites.

The attack chain begins by creating a malicious OAuth application in a tenant they control, setting its redirect URI to a domain that hosts malware. They then send phishing emails with crafted OAuth links themed around documents, payments, or meetings.

When victims click, the link triggers a silent OAuth flow using manipulated parameters such as prompt=none or invalid scopes to force an error.

“This technique abuses the OAuth 2.0 authorization endpoint by using parameters such as prompt=none and an intentionally invalid scope. Rather than attempting successful authentication, the request is designed to force the identity provider to evaluate session state and Conditional Access policies without presenting a user interface.” continues the report. “Setting an invalid scope is one method used to trigger an error and subsequent redirect, but it is not the only mechanism observed. “

Instead of completing authentication, the identity provider redirects the user to the attacker’s registered domain, leveraging trusted Microsoft or Google URLs to appear legitimate.

The redirect often leads to phishing frameworks or malware downloads. In some campaigns, victims automatically receive a ZIP file containing a malicious LNK shortcut.

“Among the threat actors and campaigns abusing OAuth redirection techniques with various landing pages, we identified a specific campaign that attempted to deliver a malicious payload.” continues the report. “That activity is described in more detail below.

• After redirection, victims were sent to a /download/XXXX path, where a ZIP file was automatically downloaded to the target device.
• Observed payloads included ZIP archives containing LNK shortcut files and HTML smuggling loaders.”

When opened, it runs PowerShell commands, performs system reconnaissance, extracts additional files, and side-loads a rogue DLL. The final payload executes in memory and connects to a command-and-control server, moving the attack from credential targeting to full endpoint compromise and persistence.

Organizations should reduce risk by tightly governing OAuth applications, limiting user consent, reviewing permissions regularly, and removing unused or overprivileged apps. Strong identity protection, Conditional Access policies, and cross-domain detection across email, identity, and endpoints can help stop attackers from abusing trusted authentication flows for phishing or malware delivery.

The report highlights identity-based threats that exploit OAuth’s by-design redirect behavior rather than software flaws or stolen credentials. By deliberately triggering authorization errors, attackers can redirect users from trusted identity providers to malicious sites. As defenses against credential theft improve, adversaries increasingly target protocol trust and standard features, underscoring the need for stronger OAuth governance and coordinated security efforts.

“These campaigns demonstrate that this abuse is operational, not theoretical. Malicious but standards-compliant applications can misuse legitimate error-handling flows to redirect users from trusted identity providers to attacker-controlled infrastructure.” concludes the report. “As organizations strengthen defenses against credential theft and MFA bypass, attackers increasingly target trust relationships and protocol behavior instead.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)