OAuth 2.0 is one of the most widely used authorization protocols, allowing users to grant applications limited access to their resources (like email or files) without sharing passwords. Legitimate OAuth flows involve:
- Redirecting a user to an identity provider (IdP) for authentication.
- The IdP issuing an authorization code.
- The user being redirected back to the requesting application with that code.
This redirection behavior is a normal part of OAuth, but the very mechanisms that make OAuth flexible can also be exploited.
What Microsoft Observed
Microsoft Defender’s threat analysts identified a phishing-led exploitation of OAuth redirection flows that allowed attackers to:
- Abuse by-design redirect functionality in OAuth.
- Redirect users to attacker-controlled infrastructure.
- Deliver phishing pages and malware without ever stealing access tokens.
Notably, threat actors did not need to capture credentials or tokens directly from the OAuth server — instead they relied on crafted URLs and protocol behavior.
Technical Breakdown of the Attack
1. Crafting Malicious OAuth Redirect URLs
Attackers created malicious OAuth applications and registered redirect URIs pointing to domains they control (e.g., hosting malware). They then distributed links that appeared to be legitimate OAuth authorization URLs (e.g., Microsoft Entra ID authorization endpoints).
By misusing parameters such as:
prompt=none- invalid or unexpected
scope - manipulating the
stateparameter
…they force the identity provider into an error-triggered redirect to the attacker’s domain without a real authorization event.
2. Distribution via Phishing Email
Malicious links were embedded in crafted emails themed around:
- Document sharing or e-signatures
- Password resets
- Calendar invites
- Organizational notices
Some campaigns even hid the OAuth URL within attachments like PDFs.
3. Silent OAuth Probing & Redirection
When a victim clicked the link:
- The browser initiated a normal OAuth flow to the identity provider.
- The combination of parameters triggered an error path in the OAuth endpoint.
- The IdP generated an error redirect that forwarded the user to the attacker’s redirect URI — along with residual parameters such as encoded email addresses.
4. Credential Theft and Malware Delivery
Once redirected:
- Users were often presented with phishing pages that harvested credentials.
- In some campaigns, users were routed to pages that automatically downloaded malicious archives (e.g., ZIP files containing payloads like LNK shortcuts).
- These files then triggered further execution via PowerShell, DLL side-loading, and stealthy C2 connections.
This demonstrates a dual threat — both phishing and direct malware delivery — from a single abuse mechanism.
Key Characteristics of These Abuses
- No need for token theft: Attackers did not rely on tokens from the identity provider.
- Protocol misuse: OAuth error paths and redirection behavior were repurposed without breaking the protocol.
- Trusted redirect origins: By using identity provider domains (Microsoft/Google), the URLs appeared more legitimate, bypassing some defenses.
- Social engineering focus: The success heavily depended on convincing targets to click links.
This aligns with broader trends where phishing is blended with legitimate cloud services to increase trust and evade detection.
Detection & Mitigation Strategies
To defend against this class of attack, organizations should consider:
Identity Governance
- Limit which OAuth apps users can consent to.
- Review and remove unused or unnecessary OAuth applications.
- Enforce least-privilege permissions.
Conditional Access & MFA
- Use robust conditional access policies to enforce MFA on high-risk requests or abnormal patterns.
Email & Endpoint Protection
- Monitor email domains and link redirections for anomalies.
- Use sandbox and ML-driven URL analysis to spot malicious redirects.
Security Monitoring
Cross-signal detection across email, identity, and endpoint telemetry is crucial — as attacks often leverage multiple layers.
Why This Matters
This abuse technique signals a significant shift in attacker behavior:
- Exploiting legitimate, by-protocol features rather than vulnerabilities.
- Blending identity flows with malware distribution, not just credential theft.
- Increasing complexity that traditional phishing defenses can miss.
Industry telemetry shows similar OAuth abuse patterns rising in recent years, with threat actors increasingly leveraging device code flows and consent phishing to access accounts.
Summary
| Attack Stage | Technique Used |
|---|---|
| Email Delivery | Phishing links with OAuth URLs |
| Redirect Abuse | Misuse of OAuth parameters to force error redirect |
| Credential Harvesting | Hosted phishing pages at attacker domains |
| Malware Delivery | Auto-download of malicious files via redirect |
Final Thoughts
OAuth redirection abuse demonstrates that threat actors are evolving with the protocols defenders rely on. Rather than searching for bugs, attackers are turning flexibility and composability into weapons.
Security teams must adapt by focusing not only on credential theft vectors but on how standard protocols can be misused — and ensure defenses are capable of tracking multi-stage abuse that crosses authentication, identity, and endpoint boundaries.
