128/69 Thursday, March 5, 2026
Security researchers from Microsoft have identified a phishing campaign targeting government agencies and public-sector organizations by abusing OAuth URL redirection mechanisms to bypass email and browser security protections. Instead of stealing passwords or exploiting software vulnerabilities, attackers leverage OAuth’s legitimate design behavior to redirect users to attacker-controlled infrastructure. As a result, this threat is categorized as an identity-based attack rather than a traditional exploit.
According to the report, attackers create malicious OAuth applications within their own tenants and configure the redirect URI to point to domains hosting malware. They then send phishing emails containing specially crafted OAuth links, often disguised as document sharing, payment notifications, or meeting invitations. When victims click the link, the system calls the OAuth authorization endpoint with manipulated parameters designed to trigger an error-such as prompt=none or incorrect scope values. The authentication service evaluates session status and security policies before redirecting the user to the attacker-controlled domain. Because the link initially appears to originate from trusted services such as Microsoft Entra ID or Google Workspace, victims are more likely to trust it, even though it ultimately leads to a malicious website.
In some campaigns, victims are redirected to a /download/ page that automatically downloads a ZIP file containing a malicious LNK file or an HTML smuggling loader. Once executed, the file launches PowerShell commands to profile the system, download additional payloads, and load a malicious DLL directly into memory. The malware then establishes communication with a command-and-control (C2) server, escalating the attack from simple phishing to full endpoint compromise and persistent access. Microsoft recommends that organizations strictly control OAuth usage, limit user consent permissions, regularly audit application privileges, and remove unused or overly privileged applications. Additional protections such as strong authentication controls and Conditional Access policies should also be implemented to prevent attackers from exploiting trusted identity mechanisms in similar campaigns.