MICROSOFT researchers warn that threat actors abuse OAuth URL redirection to target government and public-sector organisations and deliver malware, turning a legitimate by-design feature into an identity-based threat that can bypass email and browser controls. According to Microsoft Defender researchers, phishing campaigns exploit OAuth protocol functionality to manipulate URL redirection and bypass conventional phishing defenses across email and browsers.
Attackers create malicious OAuth applications in tenants they control and send phishing emails with crafted links that appear to reference documents, payments, or meetings, guiding victims to attacker-controlled pages via trusted URLs such as Entra ID or Google Workspace. The redirects can trigger a silent OAuth flow using manipulated parameters like prompt=none or invalid scopes to trigger an error rather than authentication, with the attacker’s domain hosting the next stage of the attack.
In some campaigns, victims receive a ZIP file containing a malicious LNK shortcut that, when opened, runs PowerShell commands, performs reconnaissance, and connects to a command-and-control server, moving from credential targeting to full endpoint compromise. Organizations are urged to tighten OAuth governance, limit user consent, review permissions regularly, and ensure cross-domain detection across email, identity and endpoints to counter these abuses.