Attackers exploit the OAuth redirection feature. They trigger an authentication error, causing the system to redirect victims to malicious websites.
Explorer
Microsoft Flags New OAuth-Based Phishing Attack Targeting Public Sector
Security researchers warn about a new phishing campaign abusing OAuth login redirects. The attack tricks identity systems into sending victims to malicious websites, making it harder for many security tools to detect.
The new OAuth phishing attack works by abusing the normal error-handling process defined in the OAuth standard.
Source : Unsplash
- New phishing campaign uses OAuth redirection trick.
- Attackers exploit OAuth errors for malicious redirects.
- Targets government organizations via trusted identity domains.
A new phishing campaign has been discovered that uses a clever trick inside the OAuth login system. Security researchers from Microsoft Defender say attackers are abusing the normal redirection feature of OAuth to send users to malicious websites. Unlike traditional phishing attacks that try to steal passwords or tokens directly, this method works differently. It triggers an error in the authentication process, so the system automatically redirects the victim’s browser.
The campaign mainly targets government and public-sector organisations. Because the links use trusted identity provider domains, many security filters fail to detect the attack easily.
New OAuth Phishing Attack Uses Redirect Trick
This new OAuth phishing attack works by abusing the normal error-handling process defined in the OAuth standard. Attackers first register fake applications inside their own cloud tenants. They then configure redirect links that lead to domains they control.
Phishing emails are sent with special OAuth authorisation links. These links target the Microsoft Entra ID login endpoint and include parameters designed to break the login process. For example, attackers request an invalid permission, so the authentication attempt fails.
When the request fails, the identity system automatically redirects the browser to the attacker’s registered redirect link. Since this redirect is part of normal OAuth behaviour, many email and browser security systems do not block it.
Five-Stage Phishing Attack Chain Explained
Researchers say the campaign follows a five-stage phishing attack chain. First, attackers send phishing emails related to e-signatures, financial documents, or meeting invites. Automated tools help them send large numbers of messages.
Second, clicking the link triggers a silent OAuth check. The link may also contain the victim’s encoded email address.
Third, the authentication request fails, and the system redirects the user to the attacker’s website. Fourth, victims may be taken to phishing pages or prompted to download malicious ZIP files.
Finally, malware can run PowerShell commands, collect system information, and connect to attacker-controlled servers.
Before You Go
Apple creates a new record in iPhone sales after launch of iPhone 16 | ABP Paisa Live
Frequently Asked Questions
How does this new OAuth phishing campaign work?
What makes this phishing attack difficult to detect?
The campaign uses trusted identity provider domains in its links. This bypasses many security filters that would normally block suspicious URLs.
What is the typical sequence of events in this five-stage phishing attack?
It involves phishing emails, a silent OAuth check, an authentication failure with redirection, landing on phishing pages or downloading malware, and finally, malware execution.
Advertisement
Top Headlines
Technology
iPhone 17 Pro Max Got A Rare Rs 56,000 Discount: Here's Where & How To Get It
Technology
Why Are Apple, Google, And Amazon Writing Cheques For Trump's White House Ballroom?
Technology
Vivo X300 FE In For Review: Easier To Hold, Snappier To Shoot, Cooler To Gawk At
Technology
Is Your AC Making Your Electricity Bill Explode This Summer? Here's How To Fix It
Advertisement
Advertisement
