Hackers Target Government Organizations Using OAuth Redirect Abuse
Microsoft has warned about a phishing campaign that primarily targets government and public-sector organizations by abusing the redirection feature in OAuth authentication. OAuth is widely used to allow users to log in to websites or applications using existing accounts without sharing their passwords. In this campaign, attackers exploit the legitimate redirect function within the OAuth process to send victims to malicious websites that host malware.
The attack begins with phishing emails that appear to come from trusted services. These emails often look like legitimate notifications, such as Microsoft Teams meeting recordings or password reset alerts. The messages contain links that start an OAuth authentication process. When the victim clicks the link, specially crafted parameters intentionally cause an authentication error. Instead of simply showing an error message, the process redirects the user to an attacker-controlled website.
Once redirected, victims may be encouraged to download files that appear harmless. These downloads are often compressed archives containing shortcut files or HTML-based loaders. When opened, these files can execute commands on the victim’s system, launching scripts that run legitimate programs while secretly installing malicious code. This malware can then connect the infected device to a command-and-control server controlled by the attackers.
Security researchers explain that the OAuth login page itself is not used to steal credentials in this campaign. Instead, attackers rely on the trusted authentication process to make the attack appear legitimate before redirecting users to malicious infrastructure. Because the initial link appears to involve a trusted service, the attack can bypass many traditional phishing protections in email and web browsers.
Microsoft has taken steps to detect and disable malicious OAuth applications connected to the campaign, but experts warn that similar attacks could continue. Organizations are advised to monitor OAuth activity closely, strengthen email security defenses, and train employees to recognize phishing attempts. As attackers increasingly exploit trusted authentication technologies, security teams must remain alert to identity-based attack techniques that can bypass traditional security measures.
