OAuth redirection abuse enables phishing and malware delivery

Microsoft Defender researchers observed active phishing campaigns that exploit legitimate OAuth authorization/error redirect behavior (e.g., prompt=none and invalid scopes) to silently redirect targets—especially government and public-sector users—to attacker-controlled landing pages. The redirected pages have been used to deliver ZIP payloads containing LNK shortcuts and HTML smuggling loaders that trigger PowerShell execution, DLL side‑loading, and remote C2 activity; the report includes IOCs (client IDs, domains, hashes), detection queries, and mitigation guidance.