Key Points
- Microsoft research shows attackers exploiting OAuth redirect behaviour to deliver malware
- Keeper Security CISO says identity workflows are becoming core attack surfaces
- Organisations advised to restrict third-party app consent and audit OAuth registrations
Cyber criminals are exploiting OAuth login workflows to redirect users from legitimate authentication pages to malware-hosting websites, according to new research from Microsoft and analysis by a leading security executive.
Shane Barney, chief information security officer (CISO) at Keeper Security, said the campaigns represent a shift in how attackers abuse OAuth, the widely used protocol that allows users to log into third-party applications using credentials from services like Google or Microsoft without sharing their password directly.
EVENT
Infosec Reimagined
Infosec Reimagined 2026 is the premier information security summit where top leaders—CISOs, CROs, CIOs, CTOs and risk executives—converge to redefine cyber resilience.
EVENT
CIO Prism
CIO Prism unites forward-thinking technology leaders to exchange transformative insights, shape digital strategies, and foster innovation, empowering enterprises to excel in an era of rapid technological change.
EVENT
DEFINE 2047
DEFINE 2047 Conclave spotlights futuristic innovation and emerging enterprises, tackling critical technological and policy challenges to shape India’s strategic roadmap for global defence leadership.
EVENT
Digital Senate
Digital Senate is a premier conference uniting government leaders, technologists and innovators to share ideas, success stories and strategies on digital governance, public sector transformation, cybersecurity and emerging technologies in India.
EVENT
Cyber Surakshit Uttar Pradesh
Find out strategies, frameworks and solutions for building a resilient and secure digital ecosystem across Uttar Pradesh.
The findings are particularly relevant for enterprises, where OAuth-based single sign-on and third-party application integrations have become standard across banking, fintech, e-commerce and corporate IT environments.
How the attack works
Unlike earlier OAuth abuse campaigns that focused on stealing access tokens, the small digital keys that grant applications permission to act on a user’s behalf, the newer attacks target endpoint compromise. This means attackers aim to install malicious software directly on the user’s device rather than hijacking their online session.
Barney told TechObserver.in that attackers manipulate OAuth redirect behaviour to trigger error conditions. When users begin logging in on a genuine Microsoft page, the system redirects them to an attacker-controlled website hosting malware.
“The goal in these cases is not token theft. The objective is endpoint compromise,” Barney said.
By starting the interaction on a legitimate Microsoft login page, attackers make the process appear routine. Users are more likely to follow through without realising they have been redirected to malicious infrastructure.
Identity systems as attack surfaces
The tactic reflects a broader change in cyber criminal strategy. Rather than attempting to break encryption or directly intercept credentials, attackers are increasingly targeting gaps between identity systems, redirect logic and user behaviour.
Advertisement
“When identity workflows are trusted implicitly and not continuously validated, they become an attack surface,” Barney said.
The warning comes as identity systems play an increasingly central role in corporate security. Single sign-on, which allows employees to access multiple applications with one set of credentials, and federated identity systems are now embedded in day-to-day business operations across Indian enterprises.
Misconfigured redirect URLs, broad user consent settings and weak oversight of OAuth applications can all be exploited, Barney noted. He added that multi-factor authentication, a security measure requiring users to verify their identity through a second method such as an OTP or biometric scan, remains an important safeguard but does not stop every form of OAuth abuse.
In cases where legitimate login flows steer users towards malware, the authentication process itself may work as intended while the attack unfolds elsewhere in the redirect chain.
What organisations should do
To reduce risk, Barney said organisations should restrict end-user consent for third-party applications and limit permitted redirect URLs. Security teams should regularly review OAuth app registrations for signs of misuse or excessive permissions granted during setup.
Administrators should also monitor for error-driven redirect patterns and unusual authorisation requests that could indicate compromise attempts.
“Identity infrastructure is now core to enterprise security,” Barney said. “If OAuth flows and application integrations are not governed with the same rigour as privileged access, attackers will continue to use them as entry points.”
For companies using Microsoft 365, Google Workspace or other cloud productivity suites with OAuth integrations, the findings underscore the need to audit existing third-party application permissions and tighten controls around identity workflows.
Your Questions, Answered
What is OAuth and why is it being targeted by attackers?
OAuth is a protocol that lets users log into third-party applications using credentials from services like Microsoft or Google without sharing passwords directly. Attackers target it because users trust these login flows, making them effective channels for redirecting victims to malware.
How do the new OAuth malware campaigns differ from earlier attacks?
Earlier OAuth abuse focused on stealing access tokens to hijack user sessions. The newer campaigns use redirect manipulation to send users from legitimate login pages to malware-hosting websites, aiming to compromise devices directly rather than steal credentials.
Does multi-factor authentication protect against OAuth redirect attacks?
Multi-factor authentication raises the barrier for attackers but does not stop all OAuth abuse. In these campaigns, the login process works correctly while the attack occurs through the redirect, making MFA insufficient as a sole defence.
What steps can organisations take to prevent OAuth-based attacks?
Organisations should restrict user consent for third-party apps, limit permitted redirect URLs, regularly audit OAuth registrations and monitor for unusual authorisation requests or error-driven redirect patterns.
