A recent cybersecurity alert from Microsoft highlights a new phishing attack exploiting OAuth’s legitimate redirect behavior, evading traditional email and browser defenses without the need for token theft.
Researchers from Microsoft Defender have observed that these phishing campaigns focus on government and public-sector entities, with attackers leveraging trusted identity provider domains to disguise harmful redirects.
Understanding the OAuth Exploit
This phishing method differs from conventional approaches by abusing OAuth’s standard error-handling flows as specified in RFC 6749. Attackers register harmful applications within actor-controlled tenants, configure redirect URIs to attacker-owned domains, and then distribute phishing links that initiate a silent OAuth authorization process.
The URLs are crafted to target the Microsoft Entra ID’s /common/oauth2/v2.0/authorize endpoint, intentionally misusing parameters to ensure they fail rather than succeed. This process allows the identity provider to silently evaluate session states and Conditional Access policies before redirecting browsers to the attacker’s domain, all without stealing access tokens.
Detailed Attack Chain
The attack unfolds in five stages, beginning with phishing emails that often mimic e-signatures, Social Security notices, and other official communications. Some emails contain OAuth redirect URLs directly, while others hide them within PDF attachments.
Once the link is clicked, it triggers the OAuth authorization flow, using the state parameter to encode the victim’s email address in various formats. Entra ID then returns an error code, indicating the need for interactive MFA, which attackers use to gather valuable intelligence without needing to steal tokens.
Subsequent stages involve redirecting victims to phishing frameworks capable of intercepting credentials and session cookies. In specific cases, victims are led to download malicious files containing executable shortcuts and loaders, which execute reconnaissance and establish unauthorized connections.
Mitigation Strategies
To counter this threat, Microsoft advises organizations to implement several defensive measures: restrict user consent to OAuth applications, audit and remove unnecessary or overprivileged app registrations, and enable Conditional Access policies and identity protection controls.
Additionally, deploying cross-domain XDR detections and monitoring OAuth redirect URIs for suspicious activity are recommended. While Microsoft has disabled the identified malicious applications, continued vigilance is necessary as similar attacks persist.
As traditional MFA and credential defenses are strengthened, attackers are increasingly exploiting trust relationships within authentication protocols, making it crucial for organizations to stay informed and proactive.
