On March 2, 2026, Microsoft's Defender research team published a warning about a new wave of phishing attacks that exploit a built-in feature of OAuth — the authentication protocol used by virtually every major online service. What makes these attacks particularly dangerous is that the phishing URLs start at legitimate login pages from Microsoft, Google, and other trusted providers.
What Is OAuth and Why Should You Care?
OAuth is the protocol behind every "Sign in with Google," "Sign in with Microsoft," or "Sign in with Apple" button you've ever clicked. It's how apps and websites verify your identity without you having to create a new password for every service.
OAuth includes a legitimate redirect feature that sends you to a specific page after authentication — for example, back to the app you were trying to use. Attackers have found ways to abuse this redirect to send you to phishing sites instead.
How the Attack Works
Step 1: The Phishing Email
It starts with an email. The lures Microsoft observed include:
- E-signature requests ("Please review and sign this document")
- Financial notifications ("Your invoice is ready")
- Social Security or tax-related alerts
- Political or news-themed content
The email contains a link that points to a real Microsoft or Google login page. This is why email filters often let it through — the domain is legitimate.
Step 2: The Manipulated Redirect
The URL is crafted with manipulated OAuth parameters. When you click it, you see a genuine login page from Microsoft or Google. You might even complete a real authentication. But after login, the OAuth redirect sends you to an attacker-controlled page instead of where you expected.
Step 3: Credential Theft
The redirect lands you on a phishing framework like EvilProxy. These tools act as an attacker-in-the-middle, intercepting your credentials and session cookies in real time. This means:
- Your password is captured
- Your MFA token is intercepted
- Your authenticated session cookie is stolen
- The attacker can now access your account as if they were you
Step 4: Malware Delivery (In Some Cases)
Microsoft also observed campaigns where the redirect triggered an automatic file download instead of a phishing page. Victims received ZIP files containing malicious shortcuts that executed PowerShell commands, installed malware, and established connections to attacker-controlled servers.
Why Traditional Defenses Fail
This attack is specifically designed to bypass the protections most people rely on:
- Email filters — The link points to a real Microsoft/Google domain, so it passes reputation checks
- Browser warnings — The initial page is legitimate, so browsers don't flag it
- "Check the URL" advice — The URL starts with a trusted domain, making visual inspection harder
- MFA — The attacker-in-the-middle approach captures the authenticated session, not just the password
How to Protect Yourself
1. Never Click Login Links in Emails
This is the single most effective defense. If an email asks you to sign in to any service, don't click the link. Instead, open your browser and navigate directly to the service by typing the URL or using a bookmark. This completely bypasses the manipulated OAuth redirect.
2. Inspect the Full URL Before Entering Credentials
If you do click a link, check the full URL in your browser's address bar before entering any credentials. Look for:
- Unusual
redirect_uriorstateparameters in the URL - Extremely long URLs with encoded data
- Any redirect after the initial login page
3. Use Hardware Security Keys
FIDO2 hardware security keys (like YubiKey) are resistant to phishing because they verify the actual domain during authentication. Even if you land on a phishing proxy, the key will refuse to authenticate because the domain doesn't match.
4. Review Your OAuth App Permissions
Regularly check which third-party apps have access to your accounts:
- Google: myaccount.google.com → Security → Third-party apps
- Microsoft: account.microsoft.com → Privacy → App access
- Apple: appleid.apple.com → Sign-In and Security → Sign in with Apple
Revoke access for any app you don't recognize.
5. Check the Initial Email
Even though the link in the email points to a legitimate domain, the email itself often has telltale signs. Check the sender's email authentication using SPF, DKIM, and DMARC verification. Phishing emails from spoofed senders will fail these checks.
What Makes This Different from Regular Phishing
In traditional phishing, the email contains a link to a fake website that mimics a real service. These are relatively easy to spot by checking the URL. OAuth phishing is fundamentally different because it starts at the real website and exploits a legitimate protocol feature to redirect you after authentication.
Combined with AI-generated email text and deepfake follow-up calls, OAuth phishing represents a significant escalation in attacker sophistication.
Let Us Check the Email
While the link might point to a legitimate domain, the email that delivers it often can't hide its true origin. Forward any suspicious email to us, and we'll analyze the email headers, sender authentication, and domain reputation to help you determine if it's safe:
We verify SPF, DKIM, and DMARC — the technical signals that attackers can't fake, even when their links look legitimate.