OAuth Redirection Abuse Enables Phishing and Malware Delivery
Summary:
Microsoft has identified a sophisticated phishing campaign that abuses the legitimate OAuth 2.0 protocol to bypass traditional email and browser security defenses. Unlike traditional phishing that attempts to steal credentials directly on a spoofed page, this technique exploits the "by-design" redirection behavior of identity providers like Microsoft Entra ID and Google Workspace. Attackers create malicious applications within their own controlled tenants and craft authentication URLs that include intentionally invalid scopes or parameters. When a victim clicks the link, the identity provider attempts to process the request, fails due to the malformed parameters, and—following standard protocol—redirects the user to the "redirect_uri" specified by the attacker.
Because the initial URL points to a trusted domain, it often evades security filters and appears legitimate to users. Once redirected, victims are led to attacker-controlled infrastructure where they are either served malware via "HTML smuggling" or ZIP archives containing malicious LNK files, or are funneled into Adversary-in-the-Middle (AitM) frameworks like EvilProxy to steal session cookies. This campaign has primarily targeted government and public-sector organizations, using lures related to e-signatures, financial documents, and political themes.
Security Officer Comments:
This threat is particularly concerning because it weaponizes the trust inherent in our shared identity ecosystems. Since the attack leverages the standard OAuth flow rather than a software vulnerability, traditional "look at the link" training is becoming less effective; a user can verify the domain is legitimate and still be redirected to a malicious payload. For our multi-sector members, the impact of a successful breach through this method could range from initial host reconnaissance to full-scale ransomware deployment or business email compromise (BEC).
The use of "silent" OAuth probes also suggests that threat actors are becoming more adept at identifying active sessions and bypassing Conditional Access policies without alerting the user. This signifies a shift where attackers are moving away from brute-force credential theft and toward manipulating the identity fabric itself. For organizations in the IT-ISAC, especially those providing critical infrastructure or public services, a single compromised identity via this method could provide the "living-off-the-land" access necessary for an attacker to move laterally across interconnected service providers.
Suggested Corrections:
To defend against OAuth redirection abuse, organizations should implement a layered defense strategy focused on application governance, identity monitoring, and endpoint security:
Link(s):
https://www.microsoft.com/en-us/sec...tion-abuse-enables-phishing-malware-delivery/
Microsoft has identified a sophisticated phishing campaign that abuses the legitimate OAuth 2.0 protocol to bypass traditional email and browser security defenses. Unlike traditional phishing that attempts to steal credentials directly on a spoofed page, this technique exploits the "by-design" redirection behavior of identity providers like Microsoft Entra ID and Google Workspace. Attackers create malicious applications within their own controlled tenants and craft authentication URLs that include intentionally invalid scopes or parameters. When a victim clicks the link, the identity provider attempts to process the request, fails due to the malformed parameters, and—following standard protocol—redirects the user to the "redirect_uri" specified by the attacker.
Because the initial URL points to a trusted domain, it often evades security filters and appears legitimate to users. Once redirected, victims are led to attacker-controlled infrastructure where they are either served malware via "HTML smuggling" or ZIP archives containing malicious LNK files, or are funneled into Adversary-in-the-Middle (AitM) frameworks like EvilProxy to steal session cookies. This campaign has primarily targeted government and public-sector organizations, using lures related to e-signatures, financial documents, and political themes.
Security Officer Comments:
This threat is particularly concerning because it weaponizes the trust inherent in our shared identity ecosystems. Since the attack leverages the standard OAuth flow rather than a software vulnerability, traditional "look at the link" training is becoming less effective; a user can verify the domain is legitimate and still be redirected to a malicious payload. For our multi-sector members, the impact of a successful breach through this method could range from initial host reconnaissance to full-scale ransomware deployment or business email compromise (BEC).
The use of "silent" OAuth probes also suggests that threat actors are becoming more adept at identifying active sessions and bypassing Conditional Access policies without alerting the user. This signifies a shift where attackers are moving away from brute-force credential theft and toward manipulating the identity fabric itself. For organizations in the IT-ISAC, especially those providing critical infrastructure or public services, a single compromised identity via this method could provide the "living-off-the-land" access necessary for an attacker to move laterally across interconnected service providers.
Suggested Corrections:
To defend against OAuth redirection abuse, organizations should implement a layered defense strategy focused on application governance, identity monitoring, and endpoint security:
- Restrict User Consent: Configure Microsoft Entra ID (or equivalent) settings to prevent users from consenting to applications from unverified publishers. Ideally, implement an admin consent workflow where all new application integrations must be reviewed and approved by IT Security.
- Audit Enterprise Applications: Regularly review the "Enterprise Applications" blade in your identity provider. Remove any applications that have high-risk permissions, are unused, or lack a clear business owner.
- Monitor for Anomalous Redirections: Use SIEM/XDR logs to hunt for OAuth authorization requests that result in a high volume of redirection errors or those involving newly created or "look-alike" external tenants.
- Strengthen Conditional Access: Implement Conditional Access (CA) policies that require compliant, managed devices or specific IP ranges for accessing sensitive corporate resources, making it harder for an attacker to use a stolen session from an unmanaged machine.
- Endpoint Detection and Response (EDR): Ensure EDR policies are tuned to detect the "post-redirection" phase, specifically looking for HTML smuggling (e.g., unusual browser-initiated file creation) and the execution of PowerShell or CMD from downloaded LNK and ZIP files.
- Advanced Email Filtering: Enable features in your email security gateway that provide "Time-of-Click" protection and deep-link analysis to catch redirects that lead to known malicious infrastructure or newly registered domains (NRDs).
- Updated User Awareness: Train users to recognize that a legitimate login prompt is not a guarantee of safety. Encourage employees to report any unexpected "redirecting" screens or sudden downloads that occur immediately after they interact with a login page.
Link(s):
https://www.microsoft.com/en-us/sec...tion-abuse-enables-phishing-malware-delivery/