Microsoft has issued a formal warning about an active series of phishing campaigns that exploit a standard feature of the OAuth authentication protocol to deliver malware directly to victims' devices, with government and public-sector organisations identified as the primary targets. The warning, published by Microsoft's security researchers on Monday, arrives at a moment when Australian agencies are already contending with a rising tide of identity-based cyber threats.
OAuth, short for Open Authorisation, is the protocol that powers the familiar "sign in with Google" or "sign in with Apple" buttons found across the web. The activity described by Microsoft highlights a class of identity-based threats that abuse OAuth's standard, by-design behaviour rather than exploiting software vulnerabilities or stealing credentials. In practice, that means the attack does not require a flaw in Microsoft's code; the criminals are using the protocol exactly as designed, just for purposes its architects did not intend.
The mechanics are deliberately deceptive. Attackers abuse OAuth redirect behaviour by sending phishing links that trigger an error using a combination of crafted parameters. The OAuth specification notes that attackers can deliberately trigger errors, such as by using invalid parameters like scope, and although this behaviour is standards-compliant, adversaries can abuse it to redirect users through trusted authorisation endpoints to attacker-controlled destinations. From the victim's perspective, the URL looks entirely routine.
All of the campaigns begin with a phishing email, the text of which includes e-signature requests, the chance to access recordings of Teams meetings, Microsoft 365 password reset instructions, and political themes to trick users into clicking the malicious link. Attackers typically embedded the malicious URLs in the body of the emails, but in some cases put the URL and lure inside a PDF attachment.
What distinguishes these campaigns from conventional credential-harvesting operations is their end goal. The criminals are not stealing users' access tokens, because the user has not granted the application permission to access a resource. Stealing tokens is not the point of the scam; the intent is to force an error code during sign-in that redirects victims to a landing page hosting malicious payloads. In one documented instance, that payload was a ZIP archive containing LNK shortcut files. When opened, the shortcut executed a PowerShell command that performed reconnaissance on the machine before launching a legitimate executable, steam_monitor.exe, which was abused to side-load a malicious DLL. That DLL then decrypted a data file and established an outbound connection to an external command-and-control server, giving attackers persistent remote access.
Microsoft noted that indicators suggest the actors used free prebuilt mass-sending tools as well as custom solutions developed in Python and Node.js, and that in some cases cloud email services and cloud-hosted virtual machines were used to distribute the messages. The attack infrastructure also routed some victims through phishing-as-a-service platforms such as EvilProxy, enabling interception of session cookies alongside the malware delivery.
While Microsoft Entra has disabled the specific malicious OAuth applications identified, Microsoft's security team warned that "related OAuth activity persists and requires ongoing monitoring." The company declined to disclose the full scale of the campaigns, including the number of organisations affected, according to reporting by The Register.
The disclosure matters acutely for Australia. The Australian Signals Directorate's Annual Cyber Threat Report 2024-25 recorded that critical infrastructure accounted for 13 per cent of more than 1,200 reported incidents, up two per cent from the previous year. Malicious cyber actors continue to target Australian governments, critical infrastructure, businesses, and individuals. The OAuth redirect technique is particularly concerning because it does not require users to make an obvious mistake; the authentication page they see can be genuine, with the malicious redirect occurring as a consequence of a crafted error rather than a spoofed site.
Defenders argue, with some justification, that the underlying problem is a governance failure as much as a technical one. Organisations can reduce risk by closely governing OAuth applications, limiting user consent, regularly reviewing application permissions, and removing unused or overprivileged apps; combined with identity protection and Conditional Access policies, these measures help prevent trusted authentication flows from being misused. The Australian Cyber Security Centre has long recommended phishing-resistant multi-factor authentication as a baseline control, though the OAuth redirect technique is specifically designed to operate within, rather than bypass, existing sign-in flows.
Critics of the current regulatory posture would point out that awareness campaigns and voluntary frameworks have repeatedly proven insufficient against determined adversaries. As organisations strengthen defences against credential theft and MFA bypass, attackers increasingly target trust relationships and protocol behaviour instead. The implication is uncomfortable: hardening one layer of the stack can push sophisticated actors toward abusing the layers beneath it.
The honest assessment is that no single control closes this gap entirely. Organisations that have invested in robust identity governance, application allowlisting, and endpoint detection are meaningfully better positioned than those that have not. Entities are being urged to comply with cyber maturity frameworks, ensure critical systems are segregated, and implement phishing-resistant multi-factor authentication with robust logging and review protocols. For Australian public-sector agencies in particular, the Microsoft warning is a timely reminder that the threat surface now includes the authentication infrastructure itself, not just the credentials it protects. Treating OAuth permissions with the same rigour applied to network access controls is, at this point, a basic expectation rather than a stretch goal.