{"id":15892,"date":"2026-03-03T13:01:13","date_gmt":"2026-03-03T13:01:13","guid":{"rendered":"https:\/\/newestek.com\/?p=15892"},"modified":"2026-03-03T13:01:13","modified_gmt":"2026-03-03T13:01:13","slug":"oauth-phishers-make-check-where-the-link-points-advice-ineffective","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15892","title":{"rendered":"OAuth phishers make \u2018check where the link points\u2019 advice ineffective"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Microsoft has warned that phishers are exploiting a built-in behavior of the OAuth authentication protocol to redirect victims to malware, using links that point to legitimate identity provider domains such as Microsoft Entra ID and Google Workspace. The links look safe but ultimately lead somewhere that isn\u2019t.<\/p>\n

\u201cOAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows,\u201d Microsoft\u2019s Defender Security Research Team wrote in a blog post<\/a>. \u201cAttackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages.\u201d<\/p>\n

The company said it has disabled several malicious OAuth applications linked to the activity but warned that related campaigns are continuing and require ongoing monitoring.<\/p>\n

How the attack works<\/h2>\n

The attack starts with a phishing email, with observed lures impersonating e-signature requests, HR communications, Microsoft Teams meeting invites, and password reset alerts, the malicious links embedded either in the email body or inside a PDF attachment, Microsoft researchers wrote in the blog post.<\/p>\n

The link points to a real OAuth authorization endpoint but is built with deliberately broken parameters. Attackers use a \u201cprompt=none\u201d value, requesting a silent authentication with no login screen, and pair it with an invalid scope value. The combination is designed to fail. When it does, the identity provider redirects the user\u2019s browser to a URI registered by the attacker.<\/p>\n

\u201cAlthough this behavior is standards-compliant, adversaries can abuse it to redirect users through trusted authorization endpoints to attacker-controlled destinations,\u201d the researchers wrote in the blog post.<\/p>\n

The technique represents a structural shift in how attackers approach identity, said Greyhound Research chief analyst Sanchit Vir Gogia. \u201cThe first hop is real. The browser is behaving correctly. The identity provider is behaving correctly. The trust signal is authentic,\u201d he said. \u201cThis shifts phishing from deception at the brand layer to manipulation at the workflow layer.\u201d<\/p>\n

In one campaign Microsoft detailed in the blog post, the redirect delivered a ZIP archive containing a malicious shortcut file to the victim\u2019s device. Opening the file triggered a PowerShell script that ran reconnaissance commands and ultimately connected to an attacker-controlled server, the post said. Microsoft described the subsequent activity as consistent with pre-ransomware behavior.<\/p>\n

Other campaigns the blog post detailed routed victims to adversary-in-the-middle frameworks such as EvilProxy to harvest credentials and session cookies.<\/p>\n

Context, not the URL, is the new red flag<\/h2>\n

Sakshi Grover, Senior Research Manager at IDC Asia\/Pacific, said the longstanding advice to hover over a link and verify its domain was built for an era of lookalike domains and that it no longer holds in environments where authentication flows routinely pass through trusted identity providers.<\/p>\n

\u201cOrganizations should shift awareness messaging from \u2018check the link\u2019 to \u2018validate the context,\u2019\u201d she said. \u201cEmployees should be trained to question whether an authentication request was expected, whether it aligns with a current business activity, and whether the application is requesting permissions that make sense.\u201d<\/p>\n

Gogia said enterprises need to go further and change the underlying behavior entirely. \u201cNever initiate authentication journeys from unsolicited inbound links,\u201d he said. \u201cAuthentication should begin from controlled starting points, not from email triggers.\u201d He added that reporting unexpected login journeys must be made frictionless, and that speed of reporting is more valuable than confidence in personal judgment.<\/p>\n

The governance gap attackers exploit<\/h2>\n

Both analysts pointed to OAuth application governance as the deeper structural gap this campaign exploits.<\/p>\n

Grover of IDC said governance maturity remains uneven across enterprises. \u201cBroad default consent settings and limited monitoring of redirect URIs remain common, particularly in environments where cloud and SaaS adoption have outpaced identity governance controls,\u201d she said.<\/p>\n

The scale of the problem is easy to underestimate, according to Gogia of Greyhound Research. \u201cEvery SaaS integration, automation workflow, and collaboration tool may require an application registration. Over time, tenants accumulate hundreds or thousands of registered apps. Redirect URIs are configured during setup and rarely revisited,\u201d he said. \u201cTelemetry exists. Interpretation does not.\u201d<\/p>\n

Microsoft said in the blog post that organizations should restrict user consent to third-party OAuth applications, audit app permissions regularly, and remove applications that are unused or over-privileged. The post also published 16 client IDs linked to the threat actors\u2019 malicious applications and a list of initial redirection URLs as indicators of compromise. KQL hunting queries for Microsoft Defender XDR customers are included in the post to help identify related activity across email, identity, and endpoint signals.<\/p>\n

The technique will remain effective for as long as enterprises leave these gaps unaddressed, Gogia warned. \u201cIt does not require breaking encryption,\u201d he said. \u201cIt requires exploiting administrative complacency.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Microsoft has warned that phishers are exploiting a built-in behavior of the OAuth authentication protocol to redirect victims to malware, using links that point to legitimate identity provider domains such as Microsoft Entra ID and Google Workspace. The links look safe but ultimately lead somewhere that isn\u2019t. \u201cOAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15892","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15892"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15892\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}