Wednesday, July 1, 2026
32.2 C
New Delhi

Microsoft Flags New OAuth-Based Phishing Attack Targeting Public Sector

Show Quick Read

Key points generated by AI, verified by newsroom

A new phishing campaign has been discovered that uses a clever trick inside the OAuth login system. Security researchers from Microsoft Defender say attackers are abusing the normal redirection feature of OAuth to send users to malicious websites. Unlike traditional phishing attacks that try to steal passwords or tokens directly, this method works differently. It triggers an error in the authentication process, so the system automatically redirects the victim’s browser. 

The campaign mainly targets government and public-sector organisations. Because the links use trusted identity provider domains, many security filters fail to detect the attack easily.

New OAuth Phishing Attack Uses Redirect Trick

This new OAuth phishing attack works by abusing the normal error-handling process defined in the OAuth standard. Attackers first register fake applications inside their own cloud tenants. They then configure redirect links that lead to domains they control.

Phishing emails are sent with special OAuth authorisation links. These links target the Microsoft Entra ID login endpoint and include parameters designed to break the login process. For example, attackers request an invalid permission, so the authentication attempt fails.

When the request fails, the identity system automatically redirects the browser to the attacker’s registered redirect link. Since this redirect is part of normal OAuth behaviour, many email and browser security systems do not block it.

Five-Stage Phishing Attack Chain Explained

Researchers say the campaign follows a five-stage phishing attack chain. First, attackers send phishing emails related to e-signatures, financial documents, or meeting invites. Automated tools help them send large numbers of messages.

Second, clicking the link triggers a silent OAuth check. The link may also contain the victim’s encoded email address.

Third, the authentication request fails, and the system redirects the user to the attacker’s website. Fourth, victims may be taken to phishing pages or prompted to download malicious ZIP files.

Finally, malware can run PowerShell commands, collect system information, and connect to attacker-controlled servers.

Go to Source

Hot this week

Aunt of Venezuelan boy pulled from rubble tells BBC she will give him ‘mother’s warmth’

Alice Cuddy and Mohamed Madi Caracas 33 minutes ago The aunt of a two-year-old boy who was rescued after six days under rubble in Venezuela has spoken to the BBC of her elation at being reunited with her nephew an Read More

Rabbi says AR Rahman’s communal bias claim ‘probably does exist’

Rabbi Shergill says AR Rahman’s communal bias claim ‘probably does exist’, points to The Kashmir Files and The Kerala Story (Image credits: Instagram) Singer-songwriter Rabbi Shergill, best known for Bulla Ki Jaana Read More

Taylor Swift and Travis Kelce’s wedding CONFIRMED!

Taylor Swift and Travis Kelce will have their wedding at Madison Square Garden on Friday night, according to a law enforcement official briefed on the security plans. Read More

ExtraEmily unbanned on Twitch just one day after distracted driving suspension

Image/Instagram Twitch streamer ExtraEmily has been unbanned from the platform just one day after receiving a suspension over a distracted driving incident during one of her livestreams. Read More

YouTuber Stephen McCullagh appeals life sentence after murdering pregnant girlfriend and using fake GTA livestream alibi

Image/X Former YouTuber Stephen McCullagh has filed an appeal against the life sentence he received for the murder of his pregnant girlfriend, Natalie McNally. Read More

Topics

Aunt of Venezuelan boy pulled from rubble tells BBC she will give him ‘mother’s warmth’

Alice Cuddy and Mohamed Madi Caracas 33 minutes ago The aunt of a two-year-old boy who was rescued after six days under rubble in Venezuela has spoken to the BBC of her elation at being reunited with her nephew an Read More

Rabbi says AR Rahman’s communal bias claim ‘probably does exist’

Rabbi Shergill says AR Rahman’s communal bias claim ‘probably does exist’, points to The Kashmir Files and The Kerala Story (Image credits: Instagram) Singer-songwriter Rabbi Shergill, best known for Bulla Ki Jaana Read More

Taylor Swift and Travis Kelce’s wedding CONFIRMED!

Taylor Swift and Travis Kelce will have their wedding at Madison Square Garden on Friday night, according to a law enforcement official briefed on the security plans. Read More

ExtraEmily unbanned on Twitch just one day after distracted driving suspension

Image/Instagram Twitch streamer ExtraEmily has been unbanned from the platform just one day after receiving a suspension over a distracted driving incident during one of her livestreams. Read More

YouTuber Stephen McCullagh appeals life sentence after murdering pregnant girlfriend and using fake GTA livestream alibi

Image/X Former YouTuber Stephen McCullagh has filed an appeal against the life sentence he received for the murder of his pregnant girlfriend, Natalie McNally. Read More

Ukrainian charged in Germany over Nord Stream blasts

Danish Defence Command Parul Gupta 2 hours ago German prosecutors have filed charges against a Ukrainian national over the blowing up of the Nord Stream pipelines under the Baltic Sea in 2022. Read More

US blocks long-term renewal of North American trade deal

Getty Images Francisco Velasquez Business reporter 2 hours ago The US has declined to renew the landmark US-Mexico-Canada Agreement (USMCA) in its current form, according to a senior US official. Read More

Nigeria to seek compensation for property abandoned by citizens fleeing South Africa

Getty Images Makuochi Okafor BBC Africa, Lagos 1 July 2026, 18:40 BST Updated 3 hours ago Nigeria says it will seek compensation from South Africa for its citizens who have left the country following recent protest Read More

Related Articles