Shadow Redirects: Hackers Exploit OAuth Loophole to Sneak Past Microsoft Defenses

When logging into your work account, you trust the process: click a link, sign in, and you’re safe. But what if the very mechanism designed to protect you becomes the weapon? Microsoft’s latest warning exposes a cunning phishing campaign where cybercriminals twist the rules of OAuth - an industry-standard authentication protocol - to silently slip victims into their traps, bypassing both email filters and wary eyes.

The Anatomy of a Stealth Phishing Attack

This new attack, revealed by Microsoft, doesn’t rely on exploiting software bugs or stealing passwords outright. Instead, threat actors create malicious applications within their own cloud environment and carefully configure OAuth’s redirect URIs to point victims to their own infrastructure. The initial phishing email - disguised as a legitimate e-signature request or urgent meeting invite - contains a link that launches an OAuth authorization flow.

Here’s where the trickery unfolds: attackers manipulate the flow with parameters like prompt=none and an intentionally invalid scope=invalid. This causes the identity provider (like Microsoft Entra ID) to silently throw an error and automatically redirect the user - no pop-ups, no warnings. Because the redirect originates from a trusted provider, the link passes undetected through most security systems and appears safe to the recipient.

The attackers further boost credibility by passing the victim’s email address in the OAuth state parameter, cleverly encoded. When the victim lands on the phishing site, their email is already filled in, reinforcing the illusion of legitimacy. From here, the attack splits: sometimes the target is tricked into entering their credentials (which are harvested by attacker-in-the-middle toolkits like EvilProxy), while in other cases, a malicious ZIP file is downloaded, unleashing malware via shortcut files and DLL side-loading. This grants the attackers remote access and control over the compromised system.

Why Traditional Defenses Fail - and What to Do

Because the attack abuses standard protocol behaviors - explicitly allowed by OAuth specifications - it’s invisible to many conventional defenses. Microsoft stresses that the solution isn’t patching software, but enforcing tighter application governance, monitoring for suspicious OAuth parameters, and correlating email, identity, and endpoint activity with advanced detection tools.

Organizations are urged to limit user consent for third-party apps, audit existing applications for excessive permissions, and deploy behavioral analytics to catch malicious PowerShell and DLL activity. Security teams should hunt for telltale signs like prompt=none, scope=invalid in URLs, and unexpected downloads triggered by OAuth error redirects.

Conclusion

This campaign is a stark reminder: when attackers play by the rules, the rules themselves become a battleground. As identity-based threats grow more cunning, vigilance and protocol-level scrutiny are the new front lines. The trusted pathways of authentication, once considered safe, can be weaponized - leaving organizations to rethink not just what they defend, but how they defend it.

WIKICROOK

• OAuth 2.0: OAuth 2.0 is an open standard that lets users grant apps access to their data on other services securely, without sharing their passwords.
• Redirect URI: A redirect URI is the destination web address for users after authentication in OAuth, crucial for secure authorization and preventing redirect attacks.
• DLL Side: DLL Side is a technique where attackers trick programs into loading malicious DLL files, bypassing security and gaining unauthorized access or control.
• State Parameter: State parameter is a unique value in OAuth flows to prevent CSRF attacks and ensure request integrity, but must be validated to avoid misuse.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.