Microsoft warns of OAuth phishing campaigns able to bypass email and browser defenses - says 'these campaigns demonstrate that this abuse is operational, not theoretical'

1. Pro
2. Security

Microsoft warns of OAuth phishing campaigns able to bypass email and browser defenses - says 'these campaigns demonstrate that this abuse is operational, not theoretical' News By Sead Fadilpašić published 3 March 2026

An OAuth feature is being abused in the wild

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: weerapatkiatdumrong / Getty Images)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• Microsoft warns hackers are abusing OAuth redirect feature to deliver malware
• Phishing emails themed around Teams recordings or 365 resets redirect victims to attacker-controlled sites
• Payloads dropped via ZIP archives with LNK shortcuts and HTML smuggling; final stage connects to external C2

Hackers are abusing a redirect feature in OAuth to infect people’s computers with malware and steal their login credentials, Microsoft is warning.

OAuth (short for Open Authorization) is a system which lets users log into websites using their account from another service, without giving that website their password. Whenever a “Log In With Google” popup is shown, it is most likely OAuth.

This system has a redirect feature which identity providers can use to send visitors to a different landing page, usually if the process triggers an error - but Microsoft says this feature is being abused.

You may like

• State actors are abusing OAuth device codes to get full M365 account access - here's what we know
• Hackers distribute thousands of phishing attacks through Mimecast's secure-link feature
• Yet another phishing campaign impersonates trusted Google services - here's what we know

Downloading the payload

In recently spotted attacks, the crooks would send phishing emails to government and public sector organizations, usually themed around Teams meeting recordings, or Microsoft 365 password reset requests. These emails would contain a link with carefully crafted parameters which, if clicked, would bring up OAuth and trigger an error.

Because of the error, the users would then be redirected to an attacker-owned phishing-as-a-service website, where malicious payloads are hosted.

"By hosting the payload on an application redirect URI under their control, attackers can quickly rotate or change redirected domains when security filters block them," Microsoft explained in a blog post.

In one observed attack, the victims were redirected to a /download/XXXX path that downloaded a ZIP file. That archive contained LNK shortcuts and HTML smuggling loaders, and when victims opened the shortcut files, they triggered a PowerShell command. In turn, that command ran discover commands and launched a legitimate executable which, with the help of a side-loaded malicious DLL, executed the final payload.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

The result was an outbound connection to an external C2 endpoint.

It is worth stressing that the victims did not lose their login credentials on the OAuth page - it was just used as a redirect feature to get a payload dropped. Right now, we don’t know how widespread the campaign is, or how many government organizations were affected.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Malware Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more State actors are abusing OAuth device codes to get full M365 account access - here's what we know    Hackers distribute thousands of phishing attacks through Mimecast's secure-link feature    Yet another phishing campaign impersonates trusted Google services - here's what we know    Watch out: hackers are hijacking Microsoft Teams messages to try and get access to your emails - here's what you need to look out for    PayPal user beware - experts warn subscriptions being abused to send fake purchase emails    Microsoft warns infostealer malware is 'rapidly expanding beyond traditional Windows-focused campaigns' and targeting Mac devices    Latest in Security ‘I can think of a couple Pretti Good reasons!’: Hacktivists may have just cracked open ICE and exposed over 6,000 companies working with the DHS    This new phishing campaign uses a fake Google Account security page to steal passcodes and more    'The attack requires no exploit, no user clicks, and no explicit request for sensitive actions': Experts say Perplexity's AI Comet browser can be hijacked to steal your passwords    Hackers hijack .arpa domain for phishing scams — hosting malicious websites and domains where no one can spot them    Cybercriminals are hiring women for more authentic social engineering scams — and are promising up to $1,000 per call    ‘We cannot in good conscience accede to their request’: Anthropic CEO Dario Amodei draws a line in the sand in standoff with US government    Latest in News Apple just dropped the next-gen Studio Display and Studio Display XDR — here's what's new    The MacBook Air M5 has landed — here's what's new on our favorite laptop    The MacBook Pro M5 Pro and M5 Pro Max are official — here's what's new    RAM crisis could mean the sub-$500 PC market will 'disappear by 2028'    The third Witcher 3 DLC rumored to be a build up to The Witcher 4 will reportedly take place near the familiar location of Velen    If this cheaper Sonos speaker leak is true, it’ll be the new wireless king    LATEST ARTICLES

1. 1NYT Connections hints and answers for Wednesday, March 4 (game #997)
2. 2NYT Strands hints and answers for Wednesday, March 4 (game #731)
3. 3RAM crisis could mean the sub-$500 PC market will 'disappear by 2028'
4. 4'She's a 10, but also decaying' — the five zombies from Resident Evil Requiem I wish I could be friends with
5. 5Apple just dropped the next-gen Studio Display and Studio Display XDR — here's what's new