Microsoft warns of OAuth phishing campaigns able to bypass email and browser defenses - says 'these campaigns demonstrate that this abuse is operational, not theoretical'

• Microsoft warns hackers are abusing OAuth redirect feature to deliver malware
• Phishing emails themed around Teams recordings or 365 resets redirect victims to attacker-controlled sites
• Payloads dropped via ZIP archives with LNK shortcuts and HTML smuggling; final stage connects to external C2

Hackers are abusing a redirect feature in OAuth to infect people’s computers with malware and steal their login credentials, Microsoft is warning.

OAuth (short for Open Authorization) is a system which lets users log into websites using their account from another service, without giving that website their password. Whenever a “Log In With Google” popup is shown, it is most likely OAuth.

This system has a redirect feature which identity providers can use to send visitors to a different landing page, usually if the process triggers an error - but Microsoft says this feature is being abused.