Microsoft's security team says attackers are abusing legitimate OAuth redirect behavior to move people from trusted Microsoft or Google login URLs to phishing pages and malware. That matters because many users decide a page is safe long before they notice where the browser eventually lands.
According to a Microsoft Security Blog report published on March 2, attackers have been crafting OAuth authorization links that begin on familiar identity-provider domains, trigger an error path on purpose, and then redirect users to infrastructure the attacker controls. In some campaigns, the destination was a fake login page. In others, it led straight to malware delivery.
The key lesson is simple: the first visible domain may be legitimate, but the final place where the browser lands can still be hostile.
This kind of phishing is dangerous because the first domain really is trusted. The danger shows up in the redirect chain that happens next.
Microsoft described phishing campaigns that misuse standard OAuth parameters like prompt=none and intentionally invalid scopes. The goal is not to complete a clean sign-in. The goal is to make the identity provider perform a standards-compliant redirect to a landing page the attacker controls.
That subtle distinction is what makes the technique effective. The victim sees a familiar Microsoft or Google flow first, so the browser earns trust before it ever reaches the attacker page.
This is not just a lookalike-domain story. It is a trust-transfer story. Attackers borrow legitimacy from identity providers and then weaponize the browser's normal redirect behavior.
Users often make their safety decision too early. If the first screen feels familiar, many people stop checking where the session actually ends up.
Microsoft says the redirected flows were used for both phishing and malware delivery. That meant the attacker could win in multiple ways:
The attacker does not need to steal an OAuth token to win. If the redirect chain gets the victim to a phishing kit or malicious file, the campaign has already done its job.
When people hear “OAuth abuse,” they often assume this is only a security-operations story. It is not. The tactic succeeds because it feels ordinary to the end user.
That makes it a browser trust problem as much as an identity problem.
The lesson is not that users should memorize OAuth internals. The lesson is that browser-side context matters more than ever. A safe-looking domain at the start of the journey can still end at a malicious page.
PhishClean is built around that exact gap: catching suspicious pages, misleading links, and browser-level phishing signals before a trusted-looking flow ends somewhere dangerous.
This post is based on Microsoft's March 2 report, OAuth redirection abuse enables phishing and malware delivery.
What is OAuth redirect abuse in phishing?
It is a technique where attackers abuse legitimate OAuth redirection behavior so a link starting on a trusted identity-provider domain quietly sends the user to an attacker-controlled phishing page or malware host.
Why is this dangerous for normal users?
People often trust Microsoft or Google login URLs at a glance. If the redirect happens after that trust decision, the attack can feel safe long enough to land on a fake login or malware page.
What should organizations do about it?
Review OAuth app governance, limit user consent, monitor redirect behavior, and teach users that trusted identity-provider domains are not enough on their own to prove the final destination is safe.
PhishClean helps detect misleading links, risky pages, and browser-level phishing signals before a trusted-looking flow ends somewhere dangerous.
Install PhishClean FreeIf this helped, save it for later, share it with someone who would benefit from it, or subscribe for new browser-security guides from PhishClean.
Get practical phishing and browser-safety articles in your inbox. No salesy drip, just new guides and product updates when they are worth sending.