Attackers are abusing legitimate OAuth redirection to bypass email and browser phishing protections, forcing identity providers to redirect users to malicious pages that harvest credentials or deliver malware. Campaigns targeting government and public-sector organizations use lures like e-signature requests and embedded PDFs to trigger silent OAuth errors and redirect victims to phishing frameworks such as EvilProxy or to download chains that culminate in DLL side-loading. #EvilProxy #EntraID
Keypoints
- Attackers register malicious OAuth applications with redirect URIs pointing to their infrastructure.
- They trigger silent authentication errors using invalid parameters (e.g., scope or prompt=none) to force redirects.
- Redirects can send victims to EvilProxy-powered phishing pages that intercept session cookies and bypass MFA.
- Other redirects deliver ZIPs containing .LNK files and HTML smuggling that launch PowerShell and enable DLL side-loading.
- Microsoft advises tightening OAuth app permissions, enforcing Conditional Access, and using cross-domain detection across email, identity, and endpoints.