OAuth redirection abuse enables phishing and malware delivery

Microsoft has discovered phishing campaigns exploiting OAuth's redirection mechanisms to bypass conventional defenses. Attackers create malicious applications with redirect URIs pointing to malicious domains, then distribute phishing links prompting targets to authenticate. The attack abuses OAuth's error handling to redirect users from trusted providers to attacker-controlled sites for phishing or malware delivery. Campaigns targeted government and public sectors using e-signature, financial, and political lures. Some attacks led to malware downloads and endpoint compromise via PowerShell and DLL side-loading. Mitigation involves governing OAuth apps, limiting user consent, reviewing permissions, and implementing cross-domain detection across email, identity, and endpoint.

Pulse ID: 69a607fdcc012dd2b4b2852d
Pulse Link: https://otx.alienvault.com/pulse/69a607fdcc012dd2b4b2852d
Pulse Author: AlienVault
Created: 2026-03-02 21:58:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Endpoint #Government #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #Phishing #PowerShell #Rust #SMS #Troll #bot #AlienVault