Microsoft Warns of New OAuth Phishing Technique Abusing Trusted Login Redirects

Microsoft is taking security seriously, recently rolling out a new Defender deployment onboarding experience. Now, the company is warning about a sophisticated OAuth phishing technique that abuses legitimate authentication flows.

OAuth Redirect Feature Used in Phishing Campaigns

Researchers from Microsoft Defender have uncovered phishing campaigns that misuse OAuth’s built-in redirection behavior to deliver malware and redirect victims to malicious websites.

Importantly, the attack does not break the OAuth protocol or steal authentication tokens directly. Instead, it exploits how OAuth handles error redirection flows, abusing already existing behavior.

How the OAuth Phishing Technique Works

Attackers begin by registering a malicious OAuth application inside their own Microsoft or Google tenant. They configure the app’s redirect URI to point to a domain they control.

Next, they generate a crafted OAuth login link that appears legitimate, often using trusted domains such as login.microsoftonline.com. The link contains specific parameters designed to trigger a silent authentication failure, such as using prompt=none or requesting an invalid scope.

Victims receive the link through phishing emails disguised as e-signature requests, Teams invitations, or password reset notifications. When the victim clicks the link, it opens a real Microsoft or Google login endpoint.

The identity provider processes the request and detects an authentication error. Because OAuth is designed to redirect users back to the application’s registered redirect URI in case of failure, the browser is automatically sent to the attacker-controlled domain.

This creates a convincing attack chain where the victim moves from a trusted authentication page to a malicious site without obvious warning signs.

Malware Delivery and Credential Harvesting

Once redirected, attackers can automatically trigger a ZIP file download containing malware or present a phishing page that captures credentials and session cookies.

In more advanced cases, the downloaded payload executes PowerShell commands, performs system reconnaissance, side-loads a malicious DLL, and connects to a command-and-control server.

Through this technique, attackers may gain credentials, session access, or even endpoint control, all without exploiting a software vulnerability.

The method also provides reconnaissance benefits. Error responses during the OAuth flow can reveal whether an account exists or whether it requires interactive authentication, giving attackers additional intelligence.

Microsoft Response and Mitigation Guidance

Microsoft has already disabled several malicious OAuth applications linked to these campaigns. However, the company notes that similar activity continues to surface and requires ongoing monitoring.

To reduce risk, Microsoft recommends strict governance of OAuth applications, limiting user consent permissions, and routinely reviewing app registrations and granted scopes. Administrators should also apply Conditional Access policies to restrict misuse of trusted identity redirects.

The company has published detailed security guidance on its official blog to help organizations strengthen protections against this emerging threat.

In related developments, Microsoft recently enhanced Windows Server 2026 security with a new baseline configuration and dropped legacy credential-based support for Exchange Online PowerShell in favor of multi-factor authentication, reinforcing its broader push toward stronger identity security.