{"id":60249,"date":"2026-03-02T19:29:53","date_gmt":"2026-03-02T19:29:53","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=145415"},"modified":"2026-03-02T19:29:53","modified_gmt":"2026-03-02T19:29:53","slug":"oauth-redirection-abuse-enables-phishing-and-malware-delivery","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/","title":{"rendered":"OAuth redirection abuse enables phishing and malware delivery"},"content":{"rendered":"<p class=\"wp-block-paragraph\"><em>Microsoft observed phishing-led exploitation of OAuth\u2019s by-design redirection mechanisms. The activity targets government and public-sector organizations and uses silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without stealing tokens. Microsoft Defender flagged malicious activity across email, identity, and endpoint signals. Microsoft Entra disabled the observed OAuth applications; however, related OAuth activity persists and requires ongoing monitoring.<\/em><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n<p class=\"wp-block-paragraph\">Microsoft Defender researchers uncovered phishing campaigns that exploit legitimate OAuth protocol functionality to manipulate URL redirection and bypass conventional phishing defenses across email and browsers. During the investigation, several malicious OAuth applications were identified and removed to mitigate the threat.<\/p>\n<p class=\"wp-block-paragraph\">OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows. Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Workspace, that use manipulated parameters or associated malicious applications to redirect users to attacker-controlled landing pages. This technique enables the creation of URLs that appear benign but ultimately lead to malicious destinations.<\/p>\n<h2 class=\"wp-block-heading\" id=\"technical-details\">Technical details<\/h2>\n<p class=\"wp-block-paragraph\">The attack begins with the creation of a malicious application in an actor-controlled tenant, configured with a redirect URI pointing to a malicious domain hosting malware. The attacker then distributes a phishing link prompting the target to authenticate to the malicious application.<\/p>\n<p class=\"wp-block-paragraph\">Although the mechanics behind OAuth redirection abuse can be subtle, the operational use is straightforward. Threat actors embed crafted OAuth URLs into common phishing lures, relying on user familiarity with legitimate authentication flows to encourage interaction. To clarify the sequence, the attack is broken down into stages below, starting with delivery and the initial user interaction that triggers the redirection chain.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-44.webp\" alt class=\"wp-image-145416 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-44.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"stage-1-email-delivery\">Stage 1: Email delivery<\/h3>\n<p class=\"wp-block-paragraph\">Several threat actors distributed phishing campaigns containing OAuth redirect URLs. The emails used e-signature requests, social security, financial, and political themes to entice recipients to engage and click the link. Indicators suggest these actors used free prebuilt mass-sending tools as well as custom solutions developed in Python and Node.js. In some cases, cloud email services and cloud-hosted virtual machines were used to distribute the messages.<\/p>\n<p class=\"wp-block-paragraph\">Most URLs were embedded directly in the email body, but some actors placed the URL and accompanying lure inside a PDF attachment and sent the email with no body content. After the OAuth redirect, some campaigns routed users directly to a phishing page, while others introduced additional verification steps designed to bypass security controls.<\/p>\n<p class=\"wp-block-paragraph\">We observed misuse of OAuth redirects in both phishing and malware distribution campaigns. To increase credibility, actors passed the target email address through the <code>state<\/code> parameter using various encoding techniques, allowing it to be automatically populated on the phishing page. The <code>state<\/code> parameter is intended to be randomly generated and used to correlate request and response values, but in these cases it was repurposed to carry encoded email addresses. Observed encoding methods included:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Plaintext<\/li>\n<li class=\"wp-block-list-item\">Hex string<\/li>\n<li class=\"wp-block-list-item\">Base64<\/li>\n<li class=\"wp-block-list-item\">Custom decoder schemes, for example mapping 11 = a, 12 = b<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Once redirected away from the OAuth authentication page, users were typically sent to phishing frameworks such as EvilProxy, among others. These platforms function as attacker-in-the-middle toolkits designed to intercept credentials and session cookies. They often rely on proxy-based login interception and additional obfuscation layers such as CAPTCHA challenges or interstitial pages. At this stage, the attack resembles a conventional phishing attempt, with the added advantage of being delivered through a trusted OAuth identity provider redirect.<\/p>\n<p class=\"wp-block-paragraph\">Several samples also included fake calendar invite (.ics) attachments or meeting-related messaging to reinforce legitimacy and encourage interaction. By combining trusted authentication URLs with collaboration-themed lures, attackers increased the likelihood of user engagement.<\/p>\n<h3 class=\"wp-block-heading\" id=\"lure-examples\">Lure examples<\/h3>\n<p class=\"wp-block-paragraph\">Examples of email lures observed in the phishing\/malware campaign and related social engineering themes: <\/p>\n<p class=\"wp-block-paragraph\"><strong>Document sharing and review<\/strong><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-45.webp\" alt class=\"wp-image-145417 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-45.webp\"><\/figure>\n<p class=\"wp-block-paragraph\"><strong>Social Security<\/strong><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-46.webp\" alt class=\"wp-image-145418 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-46.webp\"><\/figure>\n<p class=\"wp-block-paragraph\"><strong>Teams meeting<\/strong><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-47.webp\" alt class=\"wp-image-145419 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-47.webp\"><\/figure>\n<p class=\"wp-block-paragraph\"><strong>Password reset<\/strong><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image.webp\" alt class=\"wp-image-145431 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image.webp\"><\/figure>\n<p class=\"wp-block-paragraph\"><strong>Employee report lure<\/strong><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-49.webp\" alt class=\"wp-image-145421 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-49.webp\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"stage-2-silent-oauth-probe\">Stage 2: Silent OAuth Probe<\/h3>\n<p class=\"wp-block-paragraph\">All of the lures described earlier share a common technique: abuse of OAuth redirection behavior. Attackers sent victims phishing links that, when clicked, triggered an OAuth authorization flow through a combination of crafted parameters. In this section, we outline patterns observed across Microsoft and Google OAuth providers. However, this redirection technique is not limited to those platforms and can be abused with other OAuth-compliant services.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Microsoft Entra ID example<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"6\">\n<tr readability=\"5\">\n<td><code>https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/authorize<br \/>?client_id=&lt;app_id&gt;<br \/>&amp;response_type=code<br \/>&amp;scope=&lt;invalid_scope&gt;<br \/>&amp;prompt=none<br \/>&amp;state=<\/code>&lt;value&gt;<\/td>\n<td>Error is triggered due to invalid scope<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td>https:\/\/accounts.google.com\/o\/oauth2\/v2\/auth <br \/>?prompt=none <br \/>&amp;auto_signin=True <br \/>&amp;access_type=online <br \/>&amp;state=&lt;email&gt; <br \/>&amp;redirect_uri=&lt;phishing_url&gt; <br \/>&amp;response_type=code <br \/>&amp;client_id=&lt;app_id&gt;.apps.googleusercontent.com &amp;scope=openid+https:\/\/www.googleapis.com\/auth\/userinfo.email<\/td>\n<td>Error is triggered due to requiring an interactive login, but prompt=none prevents that request<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n<p class=\"wp-block-paragraph\">Looking in details at the URL crafted for Entra ID, at first glance, this looks like a standard OAuth authorization request, but several parameters are intentionally misused. This example targets all tenants; attackers do not need to target all tenants in their URLs.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"1.5\">\n<tr>\n<td><strong>Parameter<\/strong><\/td>\n<td><strong>Purpose<\/strong><\/td>\n<td><strong>Why attackers used it<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\/common\/<\/td>\n<td>Targets all tenants<\/td>\n<td>Broad targeting<\/td>\n<\/tr>\n<tr>\n<td>response_type=code<\/td>\n<td>Full OAuth flow<\/td>\n<td>Triggers auth logic<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>prompt=none<\/td>\n<td>Silent authentication<\/td>\n<td>No UI, no user interaction<\/td>\n<\/tr>\n<tr>\n<td>scope=&lt;invalid_scope&gt;<\/td>\n<td>Guaranteed failure<\/td>\n<td>Forces error path<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">This technique abuses the OAuth 2.0 authorization endpoint by using parameters such as <code>prompt=none<\/code> and an intentionally invalid scope. Rather than attempting successful authentication, the request is designed to force the identity provider to evaluate session state and Conditional Access policies without presenting a user interface.<\/p>\n<p class=\"wp-block-paragraph\">Setting an invalid scope is one method used to trigger an error and subsequent redirect, but it is not the only mechanism observed. Errors may also occur when:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">The user is not logged in<\/li>\n<li class=\"wp-block-list-item\">The browser session cannot be retrieved<\/li>\n<li class=\"wp-block-list-item\">The user is logged in, but the application lacks a service principal in the user\u2019s tenant<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">By design, OAuth flows may redirect users following certain error conditions. Attackers exploit this behavior to silently probe authorization endpoints and infer the presence of active sessions or authentication enforcement. Although user interaction is still required to click the link, the redirect path leverages trusted identity provider domains to advance the attack.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-3-oauth-error-redirect\">Stage 3: OAuth Error Redirect<\/h3>\n<p class=\"wp-block-paragraph\">When silent authentication fails, Microsoft Entra ID returns an OAuth error and redirects the browser to the attacker\u2019s registered redirect URI, along with additional error parameters. The examples below show attacker-controlled phishing pages reached after the OAuth redirection.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"5\">\n<tr readability=\"5\">\n<td>https:\/\/www.&lt;attacker-domain&gt;\/download\/XXXX <br \/>?error=interaction_required &amp;error_description=Session+information+is+not+for+single+sign-on <br \/>&amp;state=&lt;value&gt; &nbsp;<\/td>\n<td>Example of URL after error redirection from Microsoft OAuth<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>https:\/\/&lt;attacker-domain&gt;\/security\/<br \/>?state=&lt;encoded user email&gt;<br \/>&amp;error_subtype=access_denied<br \/>&amp;error=interaction_required<\/td>\n<td>Example of URL after error redirection from Google OAuth<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">What this really means:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Interactive authentication is required: <\/strong>Microsoft Entra ID prompts the user to sign in or complete multifactor authentication.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Session information cannot be reused for silent single sign-on:<\/strong> A session may exist, but it cannot be leveraged silently.<\/p>\n<p class=\"wp-block-paragraph\">From the attacker\u2019s perspective, this information is useful. It confirms that the user account exists and that silent SSO is blocked, meaning interactive authentication is required.<\/p>\n<p class=\"wp-block-paragraph\">The attacker does not obtain the user\u2019s access token, as the sign-in fails with error code 65001, indicating the user has not granted the application permission to access the resource. However, the primary objective of this campaign is to redirect the target to a malicious landing page, where follow-on activity such as downloading a malicious file may occur. By hosting the payload on an application redirect URI under their control, attackers can quickly rotate or change redirected domains when security filters block them.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-4-redirect-abuse-and-malware-delivery\">Stage 4: Redirect Abuse and Malware Delivery<\/h3>\n<p class=\"wp-block-paragraph\">Among the threat actors and campaigns abusing OAuth redirection techniques with various landing pages, we identified a specific campaign that attempted to deliver a malicious payload. That activity is described in more detail below.<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">After redirection, victims were sent to a <code>\/download\/XXXX<\/code> path, where a ZIP file was automatically downloaded to the target device.<\/li>\n<li class=\"wp-block-list-item\">Observed payloads included ZIP archives containing LNK shortcut files and HTML smuggling loaders.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">At this stage, the activity transitions from identity reconnaissance to endpoint compromise.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-5-endpoint-impact-and-persistence\">Stage 5: Endpoint Impact and Persistence<\/h3>\n<p class=\"wp-block-paragraph\">Extraction of the ZIP archive confirmed PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity.<\/p>\n<p class=\"wp-block-paragraph\">The ZIP file downloaded from the malicious redirect contained a malicious <code>.LNK<\/code> shortcut file that, when opened, executed a PowerShell command. The script initiated host reconnaissance by running discovery commands such as <code>ipconfig \/all<\/code> and <code>tasklist<\/code>. Following this discovery phase, PowerShell used the <code>tar<\/code> utility to extract <code>steam_monitor.exe<\/code>, <code>crashhandler.dll<\/code>, and <code>crashlog.dat<\/code>.<\/p>\n<p class=\"wp-block-paragraph\">PowerShell then launched the legitimate <code>steam_monitor.exe<\/code>, which was leveraged to side-load the malicious <code>crashhandler.dll<\/code>. That DLL decrypted <code>crashlog.dat<\/code> and executed the final payload in memory, ultimately establishing an outbound connection to an external C2 endpoint.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-50.webp\" alt class=\"wp-image-145424 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-50.webp\"><figcaption class=\"wp-element-caption\">Attack chain.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\"><strong>Mitigation and protection guidance&nbsp;&nbsp;<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">To reduce risk, organizations should closely govern OAuth applications by limiting user consent, regularly reviewing application permissions, and removing unused or overprivileged apps. Combined with identity protection, Conditional Access policies, and cross-domain detection across email, identity, and endpoint, these measures help prevent trusted authentication flows from being misused for phishing or malware delivery.<\/p>\n<p class=\"wp-block-paragraph\">The activity described in this report highlights a class of identity-based threats that abuse OAuth\u2019s standard, by-design behavior rather than exploiting software vulnerabilities or stealing credentials. OAuth specifications, including RFC 6749, define how authorization errors are handled through redirects, and RFC 9700 documents security lessons learned from years of real-world deployment. RFC 9700 Section 4.11.2 (\u201cAuthorization Server as Open Redirector\u201d) notes that attackers can deliberately trigger OAuth errors, such as by using invalid parameters like <code>scope<\/code> or <code>prompt=none<\/code>, to force silent error redirects. Although this behavior is standards compliant, adversaries can abuse it to redirect users through trusted authorization endpoints to attacker-controlled destinations, enabling phishing or malware delivery without successful authentication.<\/p>\n<p class=\"wp-block-paragraph\">These campaigns demonstrate that this abuse is operational, not theoretical. Malicious but standards-compliant applications can misuse legitimate error-handling flows to redirect users from trusted identity providers to attacker-controlled infrastructure. As organizations strengthen defenses against credential theft and MFA bypass, attackers increasingly target trust relationships and protocol behavior instead. These findings reinforce the need for cross-domain XDR detections, clearer governance around OAuth redirection behavior, and continued collaboration across the security community to reduce abuse while preserving the interoperability that OAuth enables.<\/p>\n<h3 class=\"wp-block-heading\" id=\"advanced-hunting-queries\"><strong>Advanced hunting queries<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can run the following query to find related activity in their networks:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Identify URL click events associated with invalid OAuth scope parameter<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nUrlClickEvents\n| where ActionType == \"ClickAllowed\" or IsClickedThrough == true\n| where isnotempty(Url)\n| where Url startswith \"https:\/\/\" or Url startswith \"http:\/\/\"\n| where Url has \"scope=invalid\" or UrlChain has \"scope=invalid\"\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify URL click launched browser with invalid OAuth scope parameter<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceEvents\n| where ActionType == \"BrowserLaunchedToOpenUrl\"\n| where isnotempty(RemoteUrl)\n| where RemoteUrl startswith \"https:\/\/\" or RemoteUrl startswith \"http:\/\/\"\n| where RemoteUrl has \"scope=invalid\"\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify downloaded payload after OAuth redirect URL<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceFileEvents\n| where FileOriginReferrerUrl has_all (\"login.\", \".com\")\n| where FileOriginUrl has \"error=consent_required\"\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify execution of PowerShell command<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"18\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents\n| where FileName in~ (\"powershell.exe\", \"powershell_ise.exe\")\n| where ProcessCommandLine has_all (\".zip\", \"Get-ChildItem\", \".fullname\", \"::OpenRead\", \".Length;\", \".Read(\", \"byte[]\", \"Sleep\", \"TaR\")\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify usage of DLL side-loading<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"13\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceImageLoadEvents\n| where InitiatingProcessFileName =~ \"steam_monitor.exe\"\n| where FileName =~ \"crashhandler.dll\"\n| extend path = tostring(parse_path(FolderPath).DirectoryPath)\n| where path =~ InitiatingProcessFolderPath\n| where not(path has_any (@\"\\Windows\\System32\", @\"\\Windows\\SysWOW64\", @\"\\winsxs\\\", @\"\\program files\"))\n<\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-endpoint\">Microsoft Defender for Endpoint<\/h3>\n<p class=\"wp-block-paragraph\">The following Microsoft Defender for Endpoint alerts may indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Possible initial access from an emerging threat<\/li>\n<li class=\"wp-block-list-item\">Suspicious connection blocked by network protection<\/li>\n<li class=\"wp-block-list-item\">An executable file loaded an unexpected DLL file<\/li>\n<li class=\"wp-block-list-item\">Hands-on-keyboard attack disruption via context signals<\/li>\n<li class=\"wp-block-list-item\">Silent OAuth probe followed by malware delivery attempt<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-antivirus\">Microsoft Defender Antivirus<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender Antivirus detects components of this threat as the following:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Trojan:Win32\/Malgent<\/li>\n<li class=\"wp-block-list-item\">Trojan:Win32\/Korplug<\/li>\n<li class=\"wp-block-list-item\">Trojan:Win32\/Znyonm<\/li>\n<li class=\"wp-block-list-item\">Trojan:Win32\/GreedyRobin.B!dha<\/li>\n<li class=\"wp-block-list-item\">Trojan:Win32\/WinLNK<\/li>\n<li class=\"wp-block-list-item\">Trojan:Win32\/WinLNK<\/li>\n<li class=\"wp-block-list-item\">Trojan:Win32\/Sonbokli<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-office-365\">Microsoft Defender for Office 365<\/h3>\n<p class=\"wp-block-paragraph\">\u2022 Email messages containing malicious file removed after delivery<br \/>\u2022 Email messages containing malicious URL removed after delivery<br \/>\u2022 Email messages from a campaign removed after delivery.<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-response-recommendations\">Threat response recommendations<\/h3>\n<p class=\"wp-block-paragraph\">Block known IOCs (IPs, domains, file hashes) across security tools.<br \/>Microsoft Client Ids (associated with threat actor\u2019s OAuth Apps):<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"16\">\n<tr readability=\"2\">\n<td>9a36eaa2-cf9d-4e50-ad3e-58c9b5c04255&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>89430f84-6c29-43f8-9b23-62871a314417<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>440f4886-2c3a-4269-a78c-088b3b521e02<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>c752e1ef-e475-43c0-9b97-9c9832dd3755<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>6755c710-194d-464f-9365-7d89d773b443<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>3cc07cb4-dba8-4051-82cd-93250a43b53b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>8c659c19-8a90-49b0-a9f1-15aeba3bb449<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>bc618bf4-c6d1-4653-8c4d-c6036001b226<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>bc618bf4-c6d1-4653-8c4d-c6036001b226<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>6efe57d9-b00a-4091-b861-a16b7368ab11<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>f73c6332-4618-4b9d-bcd4-c77726581acd<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>6fae87b3-3a0f-4519-8b56-006ba50f62c4<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>1b6f59dd-45da-4ff7-9b70-36fb780f855b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>00afba72-9008-454f-bbe6-d24e743fbe73<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>1b6f59dd-45da-4ff7-9b70-36fb780f855b<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>a68c61ee-6185-4b36-bc59-1dca946d95cb<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Initial Redirection URLs<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"15\">\n<tr readability=\"2\">\n<td>https[:]\/\/dynamic-entry[.]powerappsportals[.]com\/dynamics\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/login-web-auth[.]github[.]io\/red-auth\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/westsecure[.]powerappsportals[.]com\/security\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/westsecure[.]powerappsportals[.]com\/security\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/gbm234[.]powerappsportals[.]com\/auth\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/email-services[.]powerappsportals[.]com\/divisor\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/memointernals[.]powerappsportals[.]com\/auth\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/calltask[.]im\/cpcounting\/via-secureplatform\/quick\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/ouviraparelhosauditivos[.]com[.]br\/auth\/entry[.]php<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/abv-abc3[.]top\/abv2\/css\/red[.]html<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/calltask[.]im\/cpcounting\/via-secureplatform\/quick\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/weds101[.]siriusmarine-sg[.]com\/minerwebmailsecure101\/<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/mweb-ssm[.]surge[.]sh<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/ssmapp[.]github[.]io\/web<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>https[:]\/\/ssmview-group[.]gitlab[.]io\/ssmview<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\">Hunt for indicators in your environment:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Auth URLs with prompt=none in emails with common phishing themes such as document sharing, password reset, email storage full, HR, etc.<\/li>\n<li class=\"wp-block-list-item\">Unexpected emails with OAuth URLs with prompt=none<\/li>\n<li class=\"wp-block-list-item\">Auth URLs with prompt=none that redirects to unexpected or unknown domain after initial redirection<\/li>\n<li class=\"wp-block-list-item\">Auth URLs with prompt=none with an email encoded in the state param either in plain text or encoded<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Review and strengthen email security policies (if phishing campaign)<\/li>\n<li class=\"wp-block-list-item\">Enable enhanced logging and monitoring<\/li>\n<li class=\"wp-block-list-item\">Alert security teams and stakeholders.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<p class=\"wp-block-paragraph\"><em>This research is provided by Microsoft Defender Security Research with contributions from Jonathan Armer, Fernando Dantes, Sagar Patil, Bharat Vaghela, Krithika Ramakrishnan, Sean Reynolds, and Shivas Raina.<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more&nbsp;&nbsp;&nbsp;<\/h2>\n<p class=\"wp-block-paragraph\">Review\u202four\u202fdocumentation\u202fto learn\u202fmore about our real-time protection capabilities and see how\u202fto\u202fenable them within your\u202forganization.\u202f\u202f&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Explore\u202f<a href=\"https:\/\/eurppc-word-edit.officeapps.live.com\/we\/%E2%80%A2%09https:\/learn.microsoft.com\/en-us\/microsoft-365-copilot\/extensibility\/copilot-studio-agent-builder\" target=\"_blank\" rel=\"noreferrer noopener\">how to build and customize agents with Copilot Studio Agent Builder<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/microsoft-365-copilot-ai-security\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365 Copilot AI security documentation<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/04\/11\/how-microsoft-discovers-and-mitigates-evolving-attacks-against-ai-guardrails\/\" target=\"_blank\" rel=\"noreferrer noopener\">How Microsoft discovers and mitigates evolving attacks against AI guardrails<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/ai-agent-protection\" target=\"_blank\" rel=\"noreferrer noopener\">securing Copilot Studio agents with Microsoft Defender<\/a>\u202f&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/real-time-agent-protection-during-runtime\" target=\"_blank\" rel=\"noreferrer noopener\">Protect your agents in real-time during runtime (Preview) \u2013 Microsoft Defender for Cloud Apps | Microsoft Learn<\/a>\u202f\u202f&nbsp;<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/02\/oauth-redirection-abuse-enables-phishing-malware-delivery\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OAuth redirection is being repurposed as a phishing delivery path. Trusted authentication flows are weaponized to move users from legitimate sign\u2011in pages to attacker\u2011controlled infrastructure.<br \/>\nThe post OAuth redirection abuse enables phishing and malware delivery appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[],"class_list":["post-60249","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OAuth redirection abuse enables phishing and malware delivery 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OAuth redirection abuse enables phishing and malware delivery 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-02T19:29:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"OAuth redirection abuse enables phishing and malware delivery\",\"datePublished\":\"2026-03-02T19:29:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/\"},\"wordCount\":2361,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/image-44.webp\",\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/\",\"name\":\"OAuth redirection abuse enables phishing and malware delivery 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/image-44.webp\",\"datePublished\":\"2026-03-02T19:29:53+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/image-44.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/02\\\/image-44.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OAuth redirection abuse enables phishing and malware delivery\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OAuth redirection abuse enables phishing and malware delivery 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/","og_locale":"en_US","og_type":"article","og_title":"OAuth redirection abuse enables phishing and malware delivery 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-02T19:29:53+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"OAuth redirection abuse enables phishing and malware delivery","datePublished":"2026-03-02T19:29:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/"},"wordCount":2361,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-44.webp","articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/","url":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/","name":"OAuth redirection abuse enables phishing and malware delivery 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-44.webp","datePublished":"2026-03-02T19:29:53+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-44.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/02\/image-44.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/oauth-redirection-abuse-enables-phishing-and-malware-delivery\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"OAuth redirection abuse enables phishing and malware delivery"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60249"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60249\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}