Phishers have discovered a way to exploit OAuth's built-in redirect feature, rendering traditional security advice to "check where the link points" ineffective. By leveraging this feature, attackers can create links that appear to point to legitimate identity provider domains, such as Microsoft Entra ID or Google Workspace, but ultimately redirect victims to malicious sites. This tactic takes advantage of a legitimate OAuth feature designed to redirect users to specific landing pages under certain conditions, like error scenarios. Microsoft's Defender Security Research Team has warned that this technique is being used to spread malware, with the links initially appearing safe due to their legitimate origins1. The attackers' ability to manipulate OAuth's redirect feature means that users can no longer rely solely on verifying the link's destination to ensure their safety. This development highlights the need for more advanced security measures to combat phishing attacks. The fact that phishers can now disguise their malicious links as legitimate ones poses a significant threat to users, making it essential for security practitioners to reassess their phishing prevention strategies. So what matters most to practitioners is that they must now implement more robust security controls to protect against these sophisticated phishing attacks.