ATTACKERS are abusing OAuth’s error redirects to push users from legitimate login pages to phishing or malware pages, without completing a sign‑in or stealing tokens from the OAuth flow itself. The technique relies on silent OAuth authentication flows and intentionally invalid scopes to send victims to attacker‑controlled infrastructure. From a target’s perspective, an email lure leads to a link that appears to point to a Microsoft or Google login, with the visible URL imitating trusted domains.
The attack proceeds via a redirect that carries error parameters and state to the attacker’s domain, after which the user is shown a page that mimics a legitimate login or business site. Two malicious outcomes are possible: a phishing variant, where credentials and MFA can be intercepted in an attacker‑in‑the‑middle setup, or a malware delivery variant, where a download is triggered from the lure.
The article emphasises that since the attacker does not need the token from the flow, the redirect itself may look less suspicious, urging vigilance and careful verification of unfamiliar redirects.