ACCORDING to Microsoft Defender Security Research Team, Microsoft observed phishing-led exploitation of OAuth by-design redirection mechanisms aimed at government and public-sector organisations, using silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without stealing tokens.
The analysis details a multi-stage campaign beginning with email delivery containing OAuth redirect URLs, followed by a Silent OAuth Probe that abuses parameters such as prompt=none and invalid scopes to trigger error redirects to attacker domains. In Stage 3, interactive authentication is required after the OAuth error redirect, enabling attackers to direct victims to malicious landing pages where follow-on activity such as malware download can occur.
Stage 4 describes the payload delivery through a redirected ZIP file containing LNK shortcuts and HTML smuggling loaders, and Stage 5 documents endpoint impact including PowerShell execution, DLL side-loading, and hands-on-keyboard activity that culminates in a connection to an external C2 endpoint. The researchers note that the abuse is operational and call for governance over OAuth redirection, cross-domain XDR detections, and ongoing monitoring of OAuth applications to mitigate phishing and malware delivery.