How the assault works
The assault begins with a phishing electronic mail, with noticed lures impersonating e-signature requests, HR communications, Microsoft Groups assembly invitations, and password reset alerts, the malicious hyperlinks embedded both within the electronic mail physique or inside a PDF attachment, Microsoft researchers wrote within the weblog put up.
The hyperlink factors to an actual OAuth authorization endpoint however is constructed with intentionally damaged parameters. Attackers use a “immediate=none” worth, requesting a silent authentication with no login display, and pair it with an invalid scope worth. The mixture is designed to fail. When it does, the id supplier redirects the person’s browser to a URI registered by the attacker.
“Though this conduct is standards-compliant, adversaries can abuse it to redirect customers via trusted authorization endpoints to attacker-controlled locations,” the researchers wrote within the weblog put up.
