OAuth phishers make ‘check where the link points’ advice ineffective
Summary
Phishers are exploiting a legitimate feature of the OAuth authentication protocol to deliver malware, bypassing traditional advice to check link destinations. By crafting URLs that point to trusted identity providers like Microsoft Entra ID or Google Workspace with manipulated parameters, attackers can trick users into being redirected to malicious landing pages.
IFF Assessment
This attack undermines common user defenses by leveraging legitimate functionalities of trusted services, making it harder for users to identify malicious links.
Defender Context
This highlights a sophisticated phishing technique that abuses the trust inherent in OAuth flows, requiring defenders to look beyond simple URL inspection. Organizations should educate users about this specific attack vector and consider implementing stricter controls on OAuth application registrations and permissions to mitigate the risk of redirection abuse.