Microsoft has warned that phishers are exploiting a built-in behavior of the OAuth authentication protocol to redirect victims to malware, using links that point to legitimate identity provider domains such as Microsoft Entra ID and Google Workspace. The links look safe but ultimately lead somewhere that isn’t.
“OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows,” Microsoft’s Defender Security Research Team wrote in a blog post. “Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages.”
The company said it has disabled several malicious OAuth applications linked to the activity but warned that related campaigns are continuing and require ongoing monitoring.
How the attack works
The attack starts with a phishing email, with observed lures impersonating e-signature requests, HR communications, Microsoft Teams meeting invites, and password reset alerts, the malicious links embedded either in the email body or inside a PDF attachment, Microsoft researchers wrote in the blog post.
The link points to a real OAuth authorization endpoint but is built with deliberately broken parameters. Attackers use a “prompt=none” value, requesting a silent authentication with no login screen, and pair it with an invalid scope value. The combination is designed to fail. When it does, the identity provider redirects the user’s browser to a URI registered by the attacker.
“Although this behavior is standards-compliant, adversaries can abuse it to redirect users through trusted authorization endpoints to attacker-controlled destinations,” the researchers wrote in the blog post.
The technique represents a structural shift in how attackers approach identity, said Greyhound Research chief analyst Sanchit Vir Gogia. “The first hop is real. The browser is behaving correctly. The identity provider is behaving correctly. The trust signal is authentic,” he said. “This shifts phishing from deception at the brand layer to manipulation at the workflow layer.”
In one campaign Microsoft detailed in the blog post, the redirect delivered a ZIP archive containing a malicious shortcut file to the victim’s device. Opening the file triggered a PowerShell script that ran reconnaissance commands and ultimately connected to an attacker-controlled server, the post said. Microsoft described the subsequent activity as consistent with pre-ransomware behavior.
Other campaigns the blog post detailed routed victims to adversary-in-the-middle frameworks such as EvilProxy to harvest credentials and session cookies.
Context, not the URL, is the new red flag
Sakshi Grover, Senior Research Manager at IDC Asia/Pacific, said the longstanding advice to hover over a link and verify its domain was built for an era of lookalike domains and that it no longer holds in environments where authentication flows routinely pass through trusted identity providers.
“Organizations should shift awareness messaging from ‘check the link’ to ‘validate the context,’” she said. “Employees should be trained to question whether an authentication request was expected, whether it aligns with a current business activity, and whether the application is requesting permissions that make sense.”
Gogia said enterprises need to go further and change the underlying behavior entirely. “Never initiate authentication journeys from unsolicited inbound links,” he said. “Authentication should begin from controlled starting points, not from email triggers.” He added that reporting unexpected login journeys must be made frictionless, and that speed of reporting is more valuable than confidence in personal judgment.
The governance gap attackers exploit
Both analysts pointed to OAuth application governance as the deeper structural gap this campaign exploits.
Grover of IDC said governance maturity remains uneven across enterprises. “Broad default consent settings and limited monitoring of redirect URIs remain common, particularly in environments where cloud and SaaS adoption have outpaced identity governance controls,” she said.
The scale of the problem is easy to underestimate, according to Gogia of Greyhound Research. “Every SaaS integration, automation workflow, and collaboration tool may require an application registration. Over time, tenants accumulate hundreds or thousands of registered apps. Redirect URIs are configured during setup and rarely revisited,” he said. “Telemetry exists. Interpretation does not.”
Microsoft said in the blog post that organizations should restrict user consent to third-party OAuth applications, audit app permissions regularly, and remove applications that are unused or over-privileged. The post also published 16 client IDs linked to the threat actors’ malicious applications and a list of initial redirection URLs as indicators of compromise. KQL hunting queries for Microsoft Defender XDR customers are included in the post to help identify related activity across email, identity, and endpoint signals.
The technique will remain effective for as long as enterprises leave these gaps unaddressed, Gogia warned. “It does not require breaking encryption,” he said. “It requires exploiting administrative complacency.”
No Responses