OAuth Phishing Attacks: How to Stay Safe

OAuth Phishing Attacks: How to Stay Safe

Introduction to OAuth Phishing Attacks

Attackers are exploiting OAuth error redirects to send users from legitimate Microsoft or Google login URLs to phishing or malware pages. This happens without completing a successful sign-in or stealing tokens from the OAuth flow itself.

Understanding OAuth and Its Vulnerabilities

OAuth (Open Authorization) is an open-standard protocol for delegated authorization, allowing users to grant websites or applications access to their data on another service without sharing their password.

However, researchers have found that phishers use silent OAuth authentication flows and intentionally invalid scopes to redirect victims to attacker-controlled infrastructure without stealing tokens.

How the Attack Works

The attack chain starts with an email containing a plausible business lure, such as a document sharing or review request.

The email body contains a link that appears to be a normal Microsoft or Google login, but with abnormal parameters that are guaranteed to fail.

The identity provider evaluates the session and conditional access, determines the request cannot succeed silently, and returns an OAuth error, which then redirects the browser to the app’s registered redirect URI, controlled by the attacker.

Staying Safe from OAuth Phishing Attacks

To stay safe, be vigilant and follow these tips:

  • Be cautious when seeing very long URLs with oauth2, authorize, and lots of encoded text.
  • Verify with a trusted sender before clicking on links.
  • Assume emails with urgent requests are malicious until proven otherwise.
  • Stop and close the tab if redirected to an unfamiliar site.
  • Be wary of files that download immediately after clicking a link in an email.

Keep your OS, browser, and security tools up to date to block known phishing kits and malware downloads automatically.