Microsoft Flags OAuth Redirect Abuse in Phishing Campaigns Targeting Government Networks

Microsoft has issued a warning about a series of sophisticated phishing campaigns that exploit legitimate OAuth redirect mechanisms to deliver malware to government and public-sector targets. The attacks do not rely on token theft, as seen in many traditional OAuth abuses. Instead, they weaponize trusted identity workflows to quietly funnel victims toward attacker-controlled infrastructure.

The campaigns represent an evolution in phishing tradecraft. Rather than spoofing login portals outright, threat actors leverage genuine OAuth flows to add a veneer of legitimacy before redirecting victims to malicious landing pages.

Abusing OAuth Without Stealing Tokens

OAuth is designed to allow secure authorization between applications without exposing user credentials. However, many platforms include redirect URI functionality that can be misused if not strictly validated.

In these campaigns, attackers manipulate legitimate redirect parameters so that, after an authentication interaction, users are sent to attacker-controlled pages instead of intended destinations. Because the redirect occurs within a trusted workflow, victims may not immediately suspect malicious activity.

Importantly, Microsoft notes that these attacks do not necessarily require token interception. The redirect itself becomes the delivery mechanism for subsequent payload stages.

Malware Delivered via ZIP Archives

Once redirected, victims are prompted to download ZIP archives disguised as official documents or government-related files. Inside the archive, the infection chain typically begins with a script or executable that triggers PowerShell execution.

From there, attackers deploy techniques such as DLL sideloading and in-memory payload execution to avoid disk-based detection. By keeping key components in memory, the malware reduces its forensic footprint and complicates traditional antivirus detection.

Observed payloads include loaders capable of establishing persistence, performing reconnaissance, and deploying additional modules based on operator instructions.

Use of Adversary-in-the-Middle Frameworks

In some variants of the campaign, attackers employed adversary-in-the-middle frameworks to harvest credentials directly. These setups proxy authentication sessions in real time, capturing credentials and session cookies before forwarding users to legitimate services.

Such AitM frameworks enable bypass of multi-factor authentication protections in certain scenarios, particularly when session tokens are captured and replayed.

The combination of OAuth redirect abuse and AitM credential harvesting significantly increases the campaign’s effectiveness against high-value targets.

Government and Public Sector in Focus

Microsoft reports that the primary targets include government agencies, public institutions, and organizations supporting state operations. These entities often rely heavily on cloud-based collaboration tools and federated identity services, making OAuth workflows an attractive vector.

Public-sector networks also present strategic value. Successful intrusions can yield sensitive communications, policy documents, and potentially classified operational data.

Detection and Mitigation Strategies

Security teams are advised to audit OAuth applications for overly permissive redirect URI configurations. Strict validation and enforcement of approved redirect domains are critical controls.

Organizations should monitor for anomalous ZIP downloads following OAuth interactions and alert on suspicious PowerShell execution originating from user-initiated downloads. Endpoint detection and response systems should also be tuned to identify DLL sideloading patterns and unusual in-memory execution behavior.

For identity protection, deploying phishing-resistant authentication methods such as FIDO2 security keys can reduce the effectiveness of adversary-in-the-middle attacks.

Identity Infrastructure as an Attack Surface

These campaigns underscore a broader reality in modern cybersecurity. Identity infrastructure, particularly OAuth-based authorization flows, has become a frontline attack surface.

As organizations increasingly centralize authentication within cloud ecosystems, misconfigurations or overly permissive redirect rules can create pathways that attackers exploit without ever needing to compromise core authentication servers directly.

Microsoft’s advisory serves as a reminder that secure authentication protocols depend not only on cryptography but also on disciplined configuration management. Even legitimate features, when misused, can become powerful tools in a threat actor’s arsenal.