OAuth Redirect Attacks Deliver Malware and Bypass MFA
Microsoft Defender researchers warn attackers abuse OAuth 2.0 redirect flows to bypass phishing protections by registering malicious OAuth apps and directing users to attacker-controlled redirect URIs, sometimes via PDFs; victims are taken to phishing pages or intermediaries like EvilProxy that can intercept session cookies to bypass MFA. Other campaigns deliver ZIPs with LNK files that launch PowerShell and DLL side-loading to drop payloads. These are identity-based threats exploiting standard OAuth error handling; Microsoft advises tighter OAuth permissions, stronger identity protections, Conditional Access, and cross-domain detection across email, identity, and endpoints.