A recent phishing campaign has been discovered that exploits the OAuth authentication redirection mechanism, allowing attackers to bypass traditional email and browser security measures, as reported by Microsoft researchers.
The targets of this attack include government and public-sector organizations. The attackers redirect unsuspecting users from legitimate login pages to their own infrastructure, where they either deliver malware or capture login credentials.
The attack from the victim’s perspective
The OAuth authentication redirection mechanism is a trusted login feature utilized by major companies like Microsoft and Google. It enables users to sign in through a central identity provider and then be automatically redirected back to an approved application.
However, in this particular campaign, attackers have manipulated this redirect flow, sending victims from a legitimate authentication page to malicious sites that host phishing kits or malware.
The attack begins with a seemingly legitimate email that contains a link appearing to lead to a valid Microsoft or Google login page, or it may include a PDF attachment with such a link.
Upon clicking the link, the victim is briefly directed to an authentic OAuth sign-in page hosted on a trusted domain. The URL appears legitimate, and the design of the page mirrors what users normally see. Yet, within moments, the browser redirects the user again to a site controlled by the attackers.
Depending on the specific variant of the campaign, the victim may encounter a convincing but fake login page aimed at capturing credentials or session tokens, or they may find a page that automatically downloads a ZIP archive or a shortcut file disguised as the expected document, recording, or report.
Exploitation of OAuth
This campaign takes advantage of weaknesses in OAuth's redirection logic. Attackers craft OAuth authorization requests with deliberately invalid parameters, such as an impossible scope or a “silent authentication” prompt that cannot succeed.
When the identity provider, like Microsoft Entra ID, processes such a request, it triggers a standard error-handling redirect back to a “registered” redirect URI controlled by the attackers.
Researchers have explained that, “By design, OAuth flows may redirect users following certain error conditions. Attackers exploit this behavior to silently probe authorization endpoints and infer the presence of active sessions or authentication enforcement.” They noted that while user interaction is needed to click the link, the redirect path uses trusted identity provider domains to further the attack.
Perseverance of attackers despite app takedowns
The exploitation of a trusted authentication redirect allows the attack to blend in with legitimate business activities, making it less likely that victims will recognize any malicious intent.
The email lures used by the attackers are familiar: invitations to view documents, recordings of Teams meetings, requests for Microsoft 365 password validation, e-signature requests, or calendar invites. Furthermore, themes related to social security, finance, and political matters have also been employed, according to Microsoft.
While the researchers did not specify the extent of these campaigns, they confirmed that despite Microsoft Entra having disabled the observed OAuth applications leveraged by the attackers, “related OAuth activity persists and requires ongoing monitoring.”
To mitigate risks, organizations are advised to closely manage OAuth applications by limiting user consent, regularly reviewing application permissions, and removing unused or overprivileged apps. When combined with identity protection, Conditional Access policies, and cross-domain detection across email, identity, and endpoint, these measures can help prevent trusted authentication flows from being exploited for phishing or malware delivery.
