The article says attackers are abusing a legitimate OAuth redirect behavior to make phishing and malware links look trustworthy. Instead of breaking OAuth, they create malicious apps and send victims links that go through real identity-provider domains like Microsoft Entra ID or Google. By using tricks such as silent sign-in requests (prompt=none) and intentionally bad parameters, they force the identity provider into an error flow that still redirects the browser to an attacker-controlled site. That means the user sees a link that starts with a trusted login service, but ends up on a phishing page or malicious landing page. Microsoft says it saw this activity aimed at government and public-sector organizations, and that the goal was often redirection and deception rather than stealing OAuth tokens directly.

The article also says some of these campaigns went beyond phishing and tried to deliver malware after the redirect. In one observed chain, the victim was sent to a download page that automatically delivered a ZIP file containing a malicious LNK shortcut and other payload components; opening it triggered PowerShell, then DLL side-loading, and finally a connection to attacker infrastructure. Microsoft says it disabled the malicious OAuth apps it found, but warns that similar abuse is still possible, so organizations should tightly control OAuth app consent, review and remove unnecessary or overprivileged apps, and combine identity, email, and endpoint monitoring to catch the full attack chain. The main message is that attackers are increasingly abusing trusted protocol behavior and normal identity flows, not just exploiting software bugs.

‍

Source: https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/