<p><span style=”font-weight: 400;”>A new phishing campaign has been discovered that uses a clever trick inside the OAuth login system. Security researchers from Microsoft Defender say attackers are abusing the normal redirection feature of OAuth to send users to malicious websites. Unlike traditional phishing attacks that try to steal passwords or tokens directly, this method works differently. It triggers an error in the authentication process, so the system automatically redirects the victim’s browser. </span></p>
<p><span style=”font-weight: 400;”>The campaign mainly targets government and public-sector organisations. Because the links use trusted identity provider domains, many security filters fail to detect the attack easily.</span></p>
<h2><span style=”color: #ba372a;”><strong>New OAuth Phishing Attack Uses Redirect Trick</strong></span></h2>
<p><span style=”font-weight: 400;”>This new OAuth phishing attack works by abusing the normal error-handling process defined in the OAuth standard. Attackers first register fake applications inside their own cloud tenants. They then configure redirect links that lead to domains they control.</span></p>
<p><span style=”font-weight: 400;”>Phishing emails are sent with special OAuth authorisation links. These links target the Microsoft Entra ID login endpoint and include parameters designed to break the login process. For example, attackers request an invalid permission, so the authentication attempt fails.</span></p>
<p><span style=”font-weight: 400;”>When the request fails, the identity system automatically redirects the browser to the attacker’s registered redirect link. Since this redirect is part of normal OAuth behaviour, many email and browser security systems do not block it.</span></p>
<h2><span style=”color: #ba372a;”><strong>Five-Stage Phishing Attack Chain Explained</strong></span></h2>
<p><span style=”font-weight: 400;”>Researchers say the campaign follows a five-stage phishing attack chain. First, attackers send phishing emails related to e-signatures, financial documents, or meeting invites. Automated tools help them send large numbers of messages.</span></p>
<p><span style=”font-weight: 400;”>Second, clicking the link triggers a silent OAuth check. The link may also contain the victim’s encoded email address.</span></p>
<p><span style=”font-weight: 400;”>Third, the authentication request fails, and the system redirects the user to the attacker’s website. </span><span style=”font-weight: 400;”>Fourth, victims may be taken to phishing pages or prompted to download malicious ZIP files.</span></p>
<p><span style=”font-weight: 400;”>Finally, malware can run PowerShell commands, collect system information, and connect to attacker-controlled servers.</span></p>
About The Author
