Today's cybersecurity headlines are brought to you by ThreatPerspective

OAuth Phishing Campaigns: A New Layer of Deception in Cyber Warfare

OAuth phishing campaigns: a new layer of deception in cyber warfare.

A recent phishing campaign has been discovered that exploits OAuth redirections to bypass defenses and deliver malware to unsuspecting victims. Microsoft researchers have warned of the threat, highlighting the need for organizations to tightly govern OAuth applications and implement strong identity protection measures.

The threat landscape of cybersecurity has long been dominated by phishing campaigns, which often exploit software flaws or stolen credentials to gain unauthorized access into systems. However, a recent development in the world of cyber warfare has brought about a new layer of deception, as attackers begin to abuse OAuth redirections to bypass defenses and deliver malware to unsuspecting victims.

According to Microsoft researchers, phishing campaigns are now targeting government users and organizations by exploiting legitimate OAuth protocol functionality. The attackers leverage OAuth's by-design behavior to redirect victims to attacker-controlled infrastructure, making it an identity-based threat rather than a traditional exploit.

"This technique abuses the OAuth 2.0 authorization endpoint by using parameters such as prompt=none and an intentionally invalid scope," continues the report. "Rather than attempting successful authentication, the request is designed to force the identity provider to evaluate session state and Conditional Access policies without presenting a user interface."

The attack chain begins with creating a malicious OAuth application in a tenant that the attackers control, setting its redirect URI to a domain that hosts malware. They then send phishing emails with crafted OAuth links themed around documents, payments, or meetings.

When victims click on these links, they are triggered into a silent OAuth flow using manipulated parameters such as prompt=none and an intentionally invalid scope. This forces the identity provider to evaluate session state and Conditional Access policies without presenting a user interface.

The redirect often leads to phishing frameworks or malware downloads. In some campaigns, victims automatically receive a ZIP file containing a malicious LNK shortcut.

"Among the threat actors and campaigns abusing OAuth redirection techniques with various landing pages, we identified a specific campaign that attempted to deliver a malicious payload," continues the report. "That activity is described in more detail below."

After redirection, victims are sent to a /download/XXXX path, where a ZIP file was automatically downloaded to the target device. Observed payloads included ZIP archives containing LNK shortcut files and HTML smuggling loaders.

When opened, these files run PowerShell commands, perform system reconnaissance, extract additional files, and side-load a rogue DLL. The final payload executes in memory and connects to a command-and-control server, moving the attack from credential targeting to full endpoint compromise and persistence.

Organizations can reduce risk by tightly governing OAuth applications, limiting user consent, reviewing permissions regularly, and removing unused or overprivileged apps. Strong identity protection, Conditional Access policies, and cross-domain detection across email, identity, and endpoints can also help stop attackers from abusing trusted authentication flows for phishing or malware delivery.

"These campaigns demonstrate that this abuse is operational, not theoretical," concludes the report. "Malicious but standards-compliant applications can misuse legitimate error-handling flows to redirect users from trusted identity providers to attacker-controlled infrastructure."