Attackers are abusing OAuth’s built-in redirect behavior to silently route users from trusted login pages to malware and credential-harvesting sites, Microsoft warned in an advisory published March 2.
The campaigns don’t exploit software vulnerabilities or steal OAuth tokens directly. Instead, attackers manipulate legitimate error-handling behavior in OAuth authorization flows to silently redirect users to malicious domains. Some attack chains deliver malware; others land victims on adversary-in-the-middle phishing pages that intercept credentials and session cookies, bypassing MFA
The attackers created rogue applications within actor-controlled tenants and configured redirect URIs pointing to infrastructure hosting phishing kits or malware. Victims received phishing emails themed around document sharing, Social Security notices, requests for password reset, or meeting invitations.
Silent OAuth Probes Circumvent Defenses
The technique is based on parameters such as “prompt=none” and deliberately invalid scopes within OAuth authorization requests. These inputs force identity provider tools (including Microsoft Entra ID and Google Workspace-based ones) to evaluate session state without user interaction, ultimately generating an error redirect.
Because OAuth standards such as RFC 6749 define how authorization errors should trigger redirects, the behavior is technically compliant. RFC 9700 further documents how authorization servers can inadvertently function as open redirectors if error flows are abused.
When silent authentication fails, users are redirected (via legitimate login domains) to attacker-controlled pages. In several cases, those pages hosted ZIP archives containing malicious LNK shortcut files. Opening the archive triggered PowerShell reconnaissance commands, which are then followed by DLL side-loading and command-and-control communication.
“Malicious but standards-compliant applications can misuse legitimate error-handling flows to redirect users from trusted identity providers to attacker-controlled infrastructure,” Microsoft researchers wrote in the company’s analysis.
The tech giant said it disabled the identified OAuth applications and that Microsoft Defender XDR detected related activity across email, identity, and endpoint telemetry. However, similar OAuth abuse persists, calling for awareness training and continuous monitoring.
Microsoft recommended that security teams restrict user consent for OAuth applications, audit redirect URIs, and enforce Conditional Access policies. Organizations should also monitor for authorization URLs containing “prompt=none’ and suspicious state parameters, particularly when embedded in phishing-themed emails.
