OAuth Redirect Abuse Lets Attackers Bypass MFA Without Stealing Tokens
Microsoft warns government agencies about phishing campaigns that weaponize legitimate OAuth error handling.
Microsoft disclosed ongoing OAuth abuse campaigns targeting government and public-sector organizations that use phishing emails and URL redirects to deliver malware without stealing access tokens.
The twist: attackers exploit OAuth’s legitimate error-handling redirect feature by crafting URLs with intentionally invalid parameters that trigger error codes, then redirect victims to attacker-controlled landing pages hosting malware.
How the attack works:
Attackers create malicious OAuth applications with redirect URLs pointing to rogue domains, then send phishing emails containing crafted authorization requests with invalid scopes.
Example malicious URL structure:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<app_id>&response_type=code&scope=<invalid_scope>&prompt=none&state=<value>
At first glance this looks like a standard OAuth request, but several parameters are intentionally misused to force an error that triggers the redirect to attacker infrastructure.
Once redirected, victims land on phishing frameworks like EvilProxy adversary-in-the-middle toolkits designed to intercept credentials and session cookies through proxy-based login interception.
The malware delivery:
In one campaign, the redirect sent victims to a /download/XXXX path that automatically downloaded ZIP files containing LNK shortcut files and HTML smuggling loaders.
When victims opened the LNK file, it executed PowerShell commands for reconnaissance, then launched legitimate steam_monitor.exe to side-load malicious crashhandler.dll, which decrypted crashlog.dat and established C2 connections.
OAuth Spec: “Error redirects are a legitimate feature for handling authentication failures.”
Attackers: “Cool, so if we intentionally trigger errors, you’ll redirect victims to our malware distribution site?”
OAuth Spec: “Wait, no—”
Attackers: “Too late, already shipping.”
If you manage Microsoft Entra/Azure AD:
Limit user consent permissions and periodically review application permissions
Remove unused or overprivileged OAuth applications immediately
Monitor for OAuth applications with suspicious redirect URIs pointing to external domains
Microsoft Entra has disabled identified malicious OAuth applications, but warns “related OAuth activity persists and requires ongoing monitoring”
For security teams:
Implement Conditional Access policies to restrict OAuth application creation to trusted users
Flag authentication attempts from unfamiliar sign-in properties or anonymous IP addresses
Monitor for OAuth apps requesting excessive permissions like Mail.Send, Mail.ReadWrite, User.Read
Block automatic file downloads from OAuth redirect endpoints
For end users:
Never click OAuth authorization links in unsolicited emails
Verify the redirect_uri parameter before granting consent, if it’s not a domain you recognize, stop
Phishing lures observed include e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes
Some campaigns embedded malicious URLs in PDF attachments disguised as calendar invites
The Takeaway:
This isn’t credential theft, attackers aren’t stealing access tokens because victims never grant application permissions. Instead, they abuse OAuth’s native error-handling behavior to redirect users to malicious infrastructure.
Microsoft describes this as “an identity-based threat that takes advantage of OAuth’s standard, by-design behavior rather than exploiting software vulnerabilities” . The redirect mechanism is working exactly as designed, attackers just weaponized it.
Several campaigns also included fake calendar invite (.ics) attachments and meeting-related messaging to reinforce legitimacy and encourage interaction . By combining trusted authentication URLs with collaboration themes, attackers bypass email filters.
Microsoft declined to disclose the size and scope of these campaigns, but targeting government and public-sector organizations suggests this is an espionage or intelligence-gathering operation, not financially motivated crime.
The malicious payloads distribute ZIP archives leading to PowerShell execution, DLL side-loading, and pre-ransomware or hands-on-keyboard activity. Full device compromise, not just session hijacking.
The scary part: Advanced phishing-as-a-service kits like EvilProxy and Tycoon are industrializing OAuth abuse at scale, exploiting weaknesses in OAuth implementations to gain unauthorized and persistent access.
OAuth was designed for convenience. Attackers turned convenience into a delivery mechanism.
- Alex