Microsoft has warned that phishers are exploiting a built-in behavior of the OAuth authentication protocol to redirect victims to malware, using links that point to legitimate identity provider domains such as Microsoft Entra ID and Google Workspace. The links look safe but ultimately lead somewhere that isn’t. “OAuth includes a legitimate feature that allows identity providers to redirect users to a specific landing page under certain conditions, typically in error scenarios or other defined flows,” Microsoft’s Defender Security Research Team wrote in a blog post. “Attackers can abuse this native functionality by crafting URLs with popular identity providers, such as Entra ID or Google Work...