Photo by BleepingComputer on BleepingComputer
What happened
Microsoft reports that attackers are weaponizing legitimate OAuth redirect/error handling to push victims from trusted-looking identity URLs to attacker-controlled pages.
Observed campaigns target government and public-sector organizations and use believable lures (e-signature requests, password reset notices, meeting invites, and financial/government-themed messages).
How the attack works
- Adversaries register a malicious OAuth app and set a hostile redirect URI.
- They trigger authorization requests with invalid parameters (such as bad scopes or
prompt=none). - The identity provider returns an error and redirects to the attacker URI as designed.
- Victims land on phishing pages or malware download paths.
Why this matters
- This abuse leverages expected OAuth behavior, which can make detections harder.
- Redirect chains can bypass user trust cues and some anti-phishing controls.
- In some cases, attacker-in-the-middle tooling can steal session tokens and weaken MFA protections.
Defensive actions
- Tighten OAuth app consent and app-registration controls.
- Enforce Conditional Access and stronger identity protections.
- Correlate detections across email, identity provider logs, and endpoint telemetry.
- Block suspicious redirect patterns and inspect OAuth error-driven redirect traffic.
Bottom line
This is an identity-layer attack pattern, not just an email problem. Defenders should treat OAuth redirect abuse as part of core phishing and malware defense strategy.