A new active phishing attack that exploits OAuth’s legitimate redirection behavior, allowing it to bypass traditional email and browser defenses without stealing any tokens.
According to Microsoft Defender researchers, the campaigns primarily target government and public-sector organizations, using trusted identity provider domains to mask malicious redirects.
Unlike traditional phishing that relies on credential theft or software exploits, this technique abuses OAuth’s standard error-handling flows defined in RFC 6749.
Attackers register malicious applications in actor-controlled tenants, configure redirect URIs pointing to attacker-owned domains, and then distribute phishing links that trigger a silent OAuth authorization flow.
Attack Chain (Source: Microsoft)
The crafted URLs target Microsoft Entra ID’s /common/oauth2/v2.0/authorize endpoint using intentionally misused parameters:
ParameterPurposeAttacker’s Intent/common/Targets all tenantsBroad targetingresponse_type=codeFull OAuth flowTriggers auth logicprompt=noneSilent authenticationNo UI, no user interactionscope=<invalid_scope>Guaranteed failureForces error redirect path
Because the request is designed to fail, not succeed, the identity provider evaluates session state and Conditional Access policies silently, then redirects the browser to the attacker’s registered redirect URI. Crucially, no access token is stolen; the objective is purely redirection to malicious infrastructure, reads the Microsoft report.
Five-Stage Attack Chain
Stage 1 – Email Delivery: Threat actors distributed phishing emails themed around e-signatures, Social Security notices, Teams meetings, and financial documents. Some campaigns embedded OAuth redirect URLs directly in email bodies, while others concealed them inside PDF attachments. Python- and Node.js-built mass-sending tools, along with cloud-hosted virtual machines, were used for distribution.
Stage 2 – Silent OAuth Probe: Clicking the phishing link triggers the crafted OAuth authorization flow. The state parameter was repurposed to carry the victim’s encoded email address — using plaintext, hex, Base64, or custom encoding schemes — allowing it to be auto-populated on the phishing landing page.
Stage 3 – OAuth Error Redirect: When silent authentication fails, Entra ID returns an error code 65001 (interaction_required) and redirects the browser to the attacker’s registered URI. This confirms account existence and that interactive MFA is required — intelligence valuable to the attacker even without a stolen token.
Stage 4 – Malware Delivery: Post-redirect, victims were routed to phishing frameworks like EvilProxy, functioning as attacker-in-the-middle toolkits designed to intercept credentials and session cookies. In targeted campaigns, a ZIP file was automatically downloaded from a /download/XXXX path, containing LNK shortcut files and HTML smuggling loaders.
5 Attack stages (Source: Microsoft)
Stage 5 – Endpoint Persistence: Extracting the ZIP executed a PowerShell command that ran host reconnaissance (ipconfig /all, tasklist), followed by DLL side-loading via a legitimate steam_monitor.exe binary. The malicious crashhandler.dll decrypted a payload in memory and established a C2 outbound connection.
Mitigations
Microsoft recommends organizations take the following defensive steps:
Restrict user consent to OAuth applications via Entra ID admin consent policies
Audit and remove unused, overprivileged, or unrecognized OAuth app registrations
Enable Conditional Access policies and identity protection controls
Deploy cross-domain XDR detections spanning email, identity, and endpoint signals
Monitor OAuth redirect URIs for suspicious or newly registered domains
Microsoft Entra has already disabled the observed malicious OAuth applications, but related OAuth abuse activity continues to be detected, requiring ongoing vigilance. As organizations strengthen MFA and credential defenses, adversaries are pivoting to exploit trust relationships within authentication protocols themselves.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft Warns of New Phishing Attack Exploiting OAuth in Entra ID to Evade Detection appeared first on Cyber Security News.
