Microsoft Warns of OAuth Redirect Abuse Using Google Logins to Deliver Malware

By Ash K
Microsoft Warns of OAuth Redirect Abuse Using Google Logins to Deliver Malware

Microsoft has issued a warning about an active phishing campaign that abuses legitimate OAuth login flows to redirect victims to attacker-controlled sites, where malware is delivered or credentials are harvested.

Rather than relying on spoofed domains, attackers are leveraging trusted identity providers such as Google Workspace and Microsoft Entra ID as intermediaries. The tactic allows malicious links to pass through traditional phishing filters that focus on suspicious URLs.

Turning Trust Into an Attack Vector

OAuth, short for Open Authorization, enables users to log in to applications using third-party identity providers without sharing passwords. During authentication, the browser is redirected between services using access tokens.

In the observed campaigns, threat actors created malicious OAuth applications in their own tenants and configured redirect URIs that pointed to phishing infrastructure. When victims clicked authorization links embedded in phishing emails, they were first routed through legitimate login domains before being redirected to attacker-controlled pages.

The redirection often occurred after an authentication error, which is normal behavior within the OAuth framework. Attackers weaponized this built-in mechanism to move victims from a trusted identity domain to malicious landing pages without raising immediate suspicion.

Government and Public Sector in Focus

Microsoft reported that government agencies and public-sector organizations were among the primary targets. Phishing emails were crafted around themes such as e-signature requests, financial matters, political topics, or social security documentation.

To increase credibility, attackers embedded OAuth authorization links directly in message bodies, inside PDF attachments, or within calendar invitations.

Credential Theft and Malware Delivery

Once redirected, victims encountered phishing pages built using adversary-in-the-middle frameworks such as EvilProxy. These setups are designed to capture login credentials and session cookies in real time.

To evade automated detection, the phishing sites often displayed CAPTCHA challenges or additional verification prompts. In other cases, the landing page immediately delivered a ZIP archive containing malicious LNK shortcut files.

When executed, the LNK files triggered PowerShell commands for reconnaissance and payload staging. Microsoft documented instances of DLL sideloading and in-memory execution of final-stage malware, followed by outbound connections to command-and-control infrastructure.

Abuse Is Operational, Not Theoretical

Microsoft Defender detected correlated suspicious activity across email, identity, and endpoint telemetry. The company disabled the identified malicious OAuth applications, but warned that similar techniques can be replicated through newly registered applications.

According to Microsoft, these campaigns highlight a shift in attacker strategy. As defenses improve against traditional credential phishing and multi-factor authentication bypass, adversaries are increasingly exploiting trust relationships and protocol behaviors instead.

Defensive Recommendations

Organizations are advised to tighten governance over OAuth applications and reduce the attack surface created by overly permissive consent policies.

Recommended actions include restricting user consent for new applications, regularly auditing app permissions, removing unused or overprivileged integrations, and enforcing Conditional Access policies.

Microsoft also stressed the importance of cross-domain detection that correlates signals from email, identity systems, and endpoint telemetry. Without unified visibility, OAuth abuse can slip through isolated security layers.

The Identity Layer Is the New Battleground

The campaign underscores a broader reality in modern cybersecurity: attackers are no longer just exploiting software vulnerabilities. They are exploiting trust.

By manipulating legitimate authentication flows, adversaries are able to bypass domain reputation checks and traditional filtering controls. As cloud adoption deepens and identity becomes the perimeter, misconfigured OAuth applications present a growing risk.

For defenders, the message is clear. Security must extend beyond endpoints and networks into the logic of authentication frameworks themselves.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.