Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft, Google OAuth Flaws Can be Abused in Phishing Attacks

Microsoft, Google OAuth Flaws Can be Abused in Phishing Attacks

Researchers have discovered a set of previously unknown methods to launch URL redirection attacks against weak OAuth 2.0 implementations.

These attacks can lead to the bypassing of phishing detection and email security solutions, and at the same time, gives phishing URLs a false snse of legitimacy to victims.

The relevant campaigns were detected by Proofpoint, and target Outlook Web Access, PayPal, Microsoft 365, and Google Workspace.

How the attack works

OAuth 2.0 is a widely adopted authorization protocol that allows a web or desktop application access to resources controlled by the end-user, such as their email, contacts, profile information, or social accounts.

Also Read: This Educator Aims to Make Good Cyber Hygiene a Household Practice

This authentication feature relies on the user granting access to a particular application, which creates an access token that other sites can use to access a user’s resources.

When developing OAuth apps, developers are given the freedom to select among various available flow types, depending on their needs, as illustrated below.

Microsoft's OAuth flow
Microsoft’s OAuth flow
Source: Proofpoint

These flows require app developers to define specific parameters, such as a unique client ID, scope, and a redirect URL is opened after successful authentication.

However, Proofpoint discovered that attackers could modify some of the parameters in valid authorization flows, triggering a redirection of the victim to an attacker-supplied site or redirect URL in a registered malicious OAuth app.

Since this happens after the victim has clicked a legitimate-looking URL belonging to Microsoft, the victim falsely assumes that the URL is legitimate, even though they are being redirected to a malicious site.

This redirection can be triggered by modifying the ‘response_type’ query parameter to contain an invalid value, and the victim is taken to a phishing page by Microsoft after authentication.

The same happens if the ‘scope’ parameter is edited to trigger an “invalid_resource” error.

Also Read: Vulnerability Management For Cybersecurity Dummies

Authentication flow parameters
Authentication flow parameters
Source: Proofpoint

“The attacks use dozens of distinct Microsoft 365 third-party applications with malicious redirect URLs defined for them,” explains Proofpoint’s report

“All the third-party applications were being delivered through a Microsoft URL with a missing response_type query parameter, with the intention to redirect unsuspecting users to different phishing URLs.” 

Microsoft consent screen during authentication
Microsoft consent screen during authentication
Source: Proofpoint

The third attack scenario is the user clicking on the Cancel button at the consent screen, which triggers a redirect to the malicious application URL.

Proofpoint explains that triggering the redirection even before the authentication is also possible, depending on what OAuth flow was selected, which is the case with Azure Portal.

By using OAuth URLs that have been modified to produce errors in the authentication flow, phishing campaigns can present legitimate-looking URLs that ultimately redirect to landing pages that attempt to steal login credentials.

These attacks are not theoretical, as Proofpoint has seen examples in the wild of threat actors abusing this bug to redirect users to phishing landing pages.

“We analyzed Proofpoint data and found large-scale targeted attacks using modi operandi (MOs), which we’ll discuss in detail later in this blog post. The attacks use dozens of distinct Microsoft 365 third-party applications with malicious redirect URLs defined for them.

“They’ve successfully targeted hundreds of users of Proofpoint customer tenants, and the numbers keep growing daily,” explained Proofpoint researchers David Krispin and Nir Swartz.

An extensive problem

Other OAuth providers are affected by similar bugs that make it easy to create trustworthy URLs that redirect to malicious sites.

For example, GitHub allows anyone to register an OAuth app, including threat actors who create apps whose redirect URLs lead to phishing landing pages.

Threat actors can then create OAuth URLs containing legitimate-looking redirect URLs, which GitHub ignores and instead uses the redirect defined by the app. To the user, though, the URL looks legitimate and will appear trustworthy to click.

Google makes it even easier as a threat actor can register a sign-in OAuth application and set a ‘redirect_uri’ parameter to a malicious URL, taking the victim there right after authentication.

Google does not verify this URL, so it could be anything, from a phishing page to a malware-dropping site.

Setting a malicious redirect-uri parameter
Setting a malicious redirect-uri parameter
Source: Proofpoint

Possible solutions

Proofpoint’s report provides multiple mitigation techniques for these bugs, with the most effective being not to ignore invalid parameters and instead display an error page.

Also, implementing a long delay before automatic redirection or introducing an additional click for the redirection to take place would save many from getting phished.

“Phishing innocent users remains the most successful attack method to compromise user credentials and breach your organization’s network in the process. Email protection systems are helpless against these attacks,” concludes Proofpoint.

“By abusing OAuth infrastructure, these attacks deliver malicious emails to their targets undetected. Such attacks on PayPal can lead to theft of financial information such as credit cards. Phishing attacks on Microsoft can lead to fraud, intellectual property theft and more.”

The Internet Engineering Task Force (IETF) provides additional security recommendations for those who implement authentication OAuth servers.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us