"The attack starts with a phishing email, with observed lures impersonating e-signature requests, HR communications, Microsoft Teams meeting invites, and password reset alerts, the malicious links embedded either in the email body or inside a PDF attachment."
"The link points to a real OAuth authorization endpoint but is built with deliberately broken parameters. Attackers use a 'prompt=none' value, requesting a silent authentication with no login screen, and pair it with an invalid scope value. The combination is designed to fail."
"Although this behavior is standards-compliant, adversaries can abuse it to redirect users through trusted authorization endpoints to attacker-controlled destinations."
Phishing emails impersonate trusted communications like e-signature requests, HR messages, Teams invites, and password reset alerts, containing malicious links in email bodies or PDF attachments. These links direct to real OAuth authorization endpoints but use deliberately broken parameters, including a 'prompt=none' value for silent authentication paired with invalid scope values. When this combination fails as designed, identity providers redirect users to attacker-controlled URIs. This technique exploits standards-compliant OAuth behavior to abuse trusted authorization endpoints for malicious redirection.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]