Researchers have found that attackers are abusing OAuth to send users from legitimate Microsoft or Google login pages to phishing sites or malware downloads.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Attackers are exploiting OAuth's built-in error redirect mechanism to route victims from legitimate Microsoft or Google login URLs to phishing sites or malware downloads — without needing to steal tokens. The attack uses silent OAuth flows with intentionally invalid parameters (e.g., prompt=none, invalid scope), causing the identity provider to return an error and redirect the browser to an attacker-controlled URI. From the user's perspective, it appears as a brief flash of a trusted login URL before landing on a malicious page. Two variants exist: an Attacker-in-the-Middle phishing kit that intercepts credentials and MFA tokens, and a malware delivery variant that auto-downloads a payload. Defensive tips include scrutinizing long OAuth URLs in emails, not clicking unexpected login prompts, and keeping security tools updated.

Attackers abuse OAuth’s built-in redirects to launch phishing and malware attacks

So, what does this attack look like from a target’s perspective?