Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages.

The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application, Microsoft Defender researchers say.

With e-signature requests, Social Security notices, meeting invitations, password resets, or various financial and political topics that contain OAuth redirect URLs. Sometimes, the URLs are embedded in PDF files to evade detection.