Phishing Campaigns Evade Defenses by Exploiting OAuth Redirection
In a recent development that highlights the evolving threat landscape in cybersecurity, researchers at Microsoft have identified phishing campaigns that exploit OAuth redirection to bypass traditional defenses. These campaigns target government agencies and public-sector organizations, using legitimate OAuth protocol functionality to manipulate URL redirection and evade conventional phishing detection methods.
OAuth, a widely used authorization framework, allows identity providers to redirect users to specific pages in defined flows. Attackers are abusing this feature by crafting URLs with trusted services like Entra ID or Google Workspace, manipulating parameters or rogue apps to send users to attacker-controlled pages. The links appear legitimate but lead to malicious sites, making them an identity-based threat rather than a traditional exploit.
The attack chain begins with the creation of a malicious OAuth application in a tenant controlled by the attackers, setting its redirect URI to a domain that hosts malware. They then send phishing emails with crafted OAuth links themed around documents, payments, or meetings. When victims click, the link triggers a silent OAuth flow using manipulated parameters such as prompt=none or invalid scopes to force an error.
This technique abuses the OAuth 2.0 authorization endpoint by using parameters such as prompt=none and an intentionally invalid scope. Rather than attempting successful authentication, the request is designed to force the identity provider to evaluate session state and Conditional Access policies without presenting a user interface. Setting an invalid scope is one method used to trigger an error and subsequent redirect, but it is not the only mechanism observed.
Instead of completing authentication, the identity provider redirects the user to the attacker's registered domain, leveraging trusted Microsoft or Google URLs to appear legitimate. The redirect often leads to phishing frameworks or malware downloads. In some campaigns, victims automatically receive a ZIP file containing a malicious LNK shortcut.
One specific campaign attempted to deliver a malicious payload that ran PowerShell commands, performed system reconnaissance, extracted additional files, and side-loaded a rogue DLL. When opened, the final payload executed in memory and connected to a command-and-control server, moving the attack from credential targeting to full endpoint compromise and persistence.
To mitigate this threat, organizations should reduce risk by tightly governing OAuth applications, limiting user consent, reviewing permissions regularly, and removing unused or overprivileged apps. Strong identity protection, Conditional Access policies, and cross-domain detection across email, identity, and endpoints can help stop attackers from abusing trusted authentication flows for phishing or malware delivery.
The report highlights identity-based threats that exploit OAuth's by-design redirect behavior rather than software flaws or stolen credentials. By deliberately triggering authorization errors, attackers can redirect users from trusted identity providers to malicious sites. As defenses against credential theft improve, adversaries increasingly target protocol trust and standard features, underscoring the need for stronger OAuth governance and coordinated security efforts.
These campaigns demonstrate that this abuse is operational, not theoretical. Malicious but standards-compliant applications can misuse legitimate error-handling flows to redirect users from trusted identity providers to attacker-controlled infrastructure. As organizations strengthen defenses against credential theft and MFA bypass, attackers increasingly target trust relationships and protocol behavior instead.
In conclusion, the exploitation of OAuth redirection by phishing campaigns highlights the evolving threat landscape in cybersecurity. It is essential for organizations to implement robust security measures, including OAuth governance, strong identity protection, and cross-domain detection, to prevent such attacks and protect their users from identity-based threats.
---
Note: The post has been optimized for SEO with relevant keywords naturally incorporated throughout the content. The length of the post is within the specified range of 600-1500 words.