OAuth Redirect Abuse Bypasses Defenses, Powers New Phishing Campaigns

Microsoft researchers discovered that threat actors are weaponizing OAuth’s redirect_uri parameter to create phishing links that appear to come from trusted cloud services. By registering or compromising legitimate client IDs and then swapping the redirect endpoint for a malicious domain, the attackers can deliver payloads after the user authorizes the app, all while evading URL‑filtering and typical phishing detectors that focus on brand‑spoofed domains.

The abuse enables attackers to harvest valid access tokens and deliver ransomware, credential‑stealers, or other malware without triggering alerts that look for suspicious OAuth scopes or unknown client apps. Defenders must tighten OAuth governance: enforce strict redirect URI whitelists, monitor for sudden changes in app registrations, and deploy behavioral analytics that flag abnormal consent flows or token issuance to unknown endpoints. Ignoring these controls leaves organizations exposed to credential theft and downstream compromise despite existing anti‑phishing measures.

Categories: Vulnerabilities & Exploits, Identity & Access Management, Threat Intelligence

Source: Read original article