Microsoft has identified a phishing campaign using malformed links to legitimate OAuth services to redirect to malware downloads.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Microsoft has identified a phishing campaign that abuses OAuth's built-in redirect behavior to route victims to malware or credential-harvesting pages, even though the initial link points to a legitimate identity provider domain like Microsoft Entra ID or Google Workspace. Attackers craft URLs with deliberately broken parameters (using 'prompt=none' and invalid scopes) to trigger error-state redirects to attacker-controlled destinations. One observed campaign delivered a ZIP file containing a malicious shortcut that executed PowerShell and connected to a C2 server in pre-ransomware activity; others used adversary-in-the-middle frameworks like EvilProxy. Security analysts say the classic advice to 'hover and check the link' is now obsolete in this context, and organizations should train employees to validate context rather than URLs, restrict user consent to third-party OAuth apps, audit redirect URIs, and never initiate authentication from unsolicited email links. Microsoft published indicators of compromise and KQL hunting queries for Defender XDR customers.

OAuth phishers make ‘check where the link points’ advice ineffective