Microsoft warning: attackers are abusing Google logins to spread malware

Published: 4 March 2026
Last updated: 4 March 2026
Microsoft phishing
Image by Cybernews

Hackers are hijacking trusted OAuth login flows to redirect victims to phishing traps, where they unknowingly download malware.

A new phishing campaign is exploiting OAuth logins to steal credentials. Researchers at Microsoft have observed that attackers are exploiting OAuth’s built-in redirection mechanisms to target governments and public-sector organizations.

OAuth, short for Open Authorization, is a widely used authentication framework that allows users to log in to websites and apps using third-party accounts, such as Google, Facebook, or Apple.

ADVERTISEMENT

During the authentication process, access tokens are used to grant limited access without sharing the user's password with a platform.

In the malicious campaign, attackers are abusing access tokens to redirect users from trusted identity providers such as Microsoft Entra ID and Google Workspace to landing pages under their control. On these sites, users unknowingly download malware.

Instead of stealing credentials, attackers are using trusted identity provider domains as intermediaries. This way, they can bypass some traditional phishing defenses that focus on suspicious domains in email or browser filtering.

Microsoft Defender flagged suspicious activity across email, identity, and endpoint telemetry. While the company disabled the malicious OAuth applications identified during its investigation, it warned that related activity is ongoing.

How does the malicious campaign work?

Within the OAuth framework, when a user clicks “sign in,” the browser is redirected to an identity provider. Under certain conditions, including authentication errors, the provider redirects the user again to a pre-registered landing page. Attackers are targeting this feature.

In the campaigns observed by Microsoft, threat actors created malicious OAuth applications in their own tenants. They configured redirect links pointing to phishing pages and distributed phishing emails.

Users are tricked by social engineering tactics. Victims receive e-signature requests, messages with financial, political, or social security-related themes.

ADVERTISEMENT

In some cases, attackers embedded the link directly in the body. In others, they placed it inside a PDF attachment or a calendar invite to increase credibility.

All of these phishing emails contain OAuth authorization URLs that redirect users to a malicious site. When victims click the link, they are taken to a legitimate identity provider domain.

By design, the OAuth framework returns an error when authentication cannot proceed and redirects the browser to the application’s registered redirect URI along with error details. Attackers use this redirect to move the victim from a trusted login domain to a malicious landing page.

Credentials were intercepted

Once redirected, victims often landed on phishing pages built with tools like EvilProxy. These frameworks are designed to steal login credentials and session cookies.

To avoid detection, the pages frequently displayed CAPTCHA challenges or added extra verification steps to slip past automated security systems. In some campaigns, the redirect led directly to malware distribution.

Microsoft documented cases where victims were automatically served ZIP archives containing malicious LNK shortcut files. When opened, these launched PowerShell commands to perform system reconnaissance and extract additional components.

In one observed attack chain, the threat actors used DLL side-loading to run a final payload directly in memory, then opened an outbound connection to a command-and-control server.

“These campaigns demonstrate that this abuse is operational, not theoretical,” wrote Microsoft. “As organizations strengthen defenses against credential theft and MFA bypass, attackers increasingly target trust relationships and protocol behavior instead.”

Researchers highlight the need for stronger cross-domain XDR detection, clearer oversight of OAuth redirection rules, and ongoing cooperation across the security community to curb abuse.

ADVERTISEMENT

How to stay safe?

Microsoft emphasized that although the observed malicious OAuth applications were disabled, similar techniques can still be used with newly registered applications.

The company recommends that organizations strengthen governance over OAuth applications by:

  • Restricting user consent for new applications
  • Regularly reviewing application permissions
  • Removing unused or overprivileged apps
  • Enforcing Conditional Access policies
  • Deploying cross-domain detection across email, identity, and endpoint systems

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta confirms: critical vulnerability in account recovery tool exposed over 20K Instagram users
UK to use AI to prepare for AI-induced employment challenges
Dark web drug vendor gets 26 years for selling fentanyl and meth
Meta escalates legal battle with Israeli spyware firm NSO over WhatsApp attacks
UK PM Starmer set to ban social media for Under-16s
OpenAI plans biggest ChatGPT overhaul ahead of listing
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked