Cybercriminals are now using clever tricks with the OAuth authentication process to hide malicious links behind what seem like safe, legitimate sites. This new method makes it harder for users and security tools to spot phishing attempts. Attackers exploit a feature in OAuth that is meant to redirect users, turning it into a weapon for scams.

How the Attack Works

The attack begins with a phishing email that looks convincing. These emails often pretend to be about e-signatures, HR notices, Microsoft Teams meetings, or password resets. The links embedded in these emails, or even inside attached PDFs, point to real OAuth login pages but are crafted with manipulated parameters.

These links include specific values like “prompt=none,” which asks the server to authenticate silently without showing a login screen. They also include invalid scope parameters. When the server receives these, it tries to process the request but fails, leading it to redirect the user to a URL controlled by the attacker. The result is a seamless redirection that appears legitimate but ends up at a malicious site.

Why This Is So Dangerous

This technique is a game-changer because it exploits a standard feature of OAuth, making the redirects appear trustworthy. The browser, the identity provider, and the redirect process all behave correctly according to standards, but attackers manipulate the parameters to send users to malicious destinations.

One example detailed by Microsoft involved a redirect that led to a ZIP file containing a malicious shortcut. When opened, this file would run a PowerShell script that performed reconnaissance on the device and connected to an attacker-controlled server. This activity looks like early ransomware behavior.

Other campaigns used middleman frameworks to steal credentials and session cookies. These setups can harvest login data without the user realizing anything suspicious is happening, making it a sneaky form of attack.

What Security Teams Are Doing

Microsoft has responded by disabling several malicious OAuth applications linked to these campaigns. However, the attacks are ongoing, and organizations need to stay vigilant. Security experts advise that focusing solely on checking links isn’t enough anymore.

Instead, the key is understanding that the context matters more than just the URL. Recognizing suspicious activity, unusual redirects, or unexpected file types can help spot these attacks early. Continuous monitoring and advanced detection tools are essential to catch these stealthy tactics.

Overall, this shift in attack methods shows how clever hackers have become. They use trusted processes against us, so awareness and cautious behavior are more important than ever before.

Inspired by

• https://www.computerworld.com/article/4139875/oauth-phishers-make-check-where-the-link-points-advice-ineffective-2.html

Sources

• csoonline.com
• microsoft.com
• csoonline.com