How the attack works
The attack starts with a phishing email, with observed lures impersonating e-signature requests, HR communications, Microsoft Teams meeting invites, and password reset alerts, the malicious links embedded either in the email body or inside a PDF attachment, Microsoft researchers wrote in the blog post.
The link points to a real OAuth authorization endpoint but is built with deliberately broken parameters. Attackers use a “prompt=none” value, requesting a silent authentication with no login screen, and pair it with an invalid scope value. The combination is designed to fail. When it does, the identity provider redirects the user’s browser to a URI registered by the attacker.
“Although this behavior is standards-compliant, adversaries can abuse it to redirect users through trusted authorization endpoints to attacker-controlled destinations,” the researchers wrote in the blog post.
