OAuth redirection abuse enables phishing and malware delivery

A recent wave of phishing attacks has been leveraging OAuth's inherent redirection capabilities to deliver malware and steal sensitive information from government and public-sector organizations. By exploiting the protocol's silent authentication flows and intentionally using invalid scopes, attackers are able to redirect victims to malicious infrastructure without actually stealing OAuth tokens. This tactic allows adversaries to bypass traditional security controls, making it more challenging for defenders to detect and respond to these threats. Microsoft Defender has flagged numerous instances of this malicious activity across various signals, including email, identity, and endpoint alerts. In response, Microsoft Entra has disabled the observed OAuth applications, but related activity continues to persist, emphasizing the need for ongoing monitoring and vigilance. The attackers' ability to evade token theft detection while still achieving their goals underscores the complexity of this threat, which is made possible by the very design of OAuth's redirection mechanisms¹. This highlights the importance of closely monitoring OAuth activity and implementing robust security controls to prevent such attacks, as these types of threats can have significant consequences for organizations relying on OAuth for authentication.