Full Report
The LevelBlue SpiderLabs team identified phishing emails in January 2026 that use Microsoft Application Registration Redirect URI’s to abuse trust relationships and bypass spam filters to redirect users to phishing websites.
Analysis Summary
# Tool/Technique: OAuth Application Registration Redirect URI Abuse
## Overview
This technique involves the exploitation of Microsoft’s OAuth 2.0 authorization flow by using legitimate Application Registration Redirect URIs to mask malicious phishing destinations. By leveraging trusted Microsoft domains (e.g., `login.microsoftonline.com`), attackers bypass email security filters and exploit user trust in the Microsoft ecosystem to harvest credentials or session tokens.
## Technical Details
- **Type:** Technique (Phishing / Redirection)
- **Platform:** Microsoft 365, Azure AD (Entra ID), SaaS environments
- **Capabilities:** Bypassing Secure Email Gateways (SEGs), Credential Harvesting, Adversary-in-the-Middle (AiTM) proxying.
- **First Seen:** Identified by LevelBlue SpiderLabs in January 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1566.002 - Phishing: Spearphishing Link**
- **TA0005 - Defense Evasion**
- **T1223 - Trusted Developer Tools**
- **T1553.004 - Subvert Trust Controls: Install Root Certificate (if AiTM)**
- **TA0006 - Credential Access**
- **T1557 - Adversary-in-the-Middle**
## Functionality
### Core Capabilities
- **Redirect URI Manipulation:** Attackers register a malicious application in Azure or compromise an existing one to set a `redirect_uri` that points to a phishing site.
- **Trust Leveraging:** The initial link in the phishing email points to a legitimate Microsoft login URL, which carries a high reputation and is rarely blocked by spam filters.
- **Automated Redirection:** Once the victim interacts with the legitimate Microsoft endpoint, the OAuth flow automatically forwards the browser to the attacker-controlled URI.
### Advanced Features
- **Bypassing SEGs:** Because the top-level domain is a trusted Microsoft property, automated link scanners often fail to inspect the nested redirect parameter.
- **Visual Deception:** The use of "Login with Microsoft" prompts increases the likelihood of a victim entering their credentials into the subsequent fake login page.
## Indicators of Compromise
- **File Hashes:** N/A (Web-based technique)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:**
- `login.microsoftonline[.]com/common/oauth2/authorize?...` (Initial Vector)
- `tenant-office-update[.]com` (Example Phishing Landing Page)
- `microsoft-security-noreply[.]com` (Example Phishing Domain)
- **Behavioral Indicators:**
- High volume of "URL Click" events to Microsoft OAuth endpoints containing external/suspicious `redirect_uri` parameters.
- Unusual OAuth application consent requests from unverified publishers.
## Associated Threat Actors
- Unknown (General high-sophistication phishing actors leveraging AiTM frameworks).
## Detection Methods
- **Behavioral Detection:** Monitor for OAuth authorization requests where the `redirect_uri` parameter points to a domain not previously seen or not associated with internal business applications.
- **Logging:** Analyze Azure AD / Entra ID Sign-in logs for specific `AppId` values associated with unauthorized application registrations.
- **Hunting:** Search for URL click events in SIEM/EDR that contain "oauth2" and "redirect_uri" directed toward non-company domains.
## Mitigation Strategies
- **Technical Restrictions:** Restrict user ability to register new applications or consent to unverified third-party applications in Entra ID settings.
- **Authentication:** Implement phishing-resistant Multi-Factor Authentication (MFA) such as FIDO2 security keys to prevent AiTM harvesting.
- **Hardening:** Require administrator-facilitated device registration and use Conditional Access policies to limit logins to managed devices.
- **Education:** Train users to inspect the final URL in the browser address bar after a redirect occurs, even if the initial link appeared legitimate.
## Related Tools/Techniques
- **Evilginx2 / Muraena:** Used for AiTM phishing to bypass MFA.
- **Illicit Consent Grant:** A related technique where attackers request permissions to access user data via OAuth.