For years, phishing was easy to picture: a suspicious email, a fake login page, and a stolen password. That threat still exists, but it has evolved.
A recent Microsoft report shows attackers abusing OAuth redirection to turn legitimate authentication workflows into phishing and malware delivery paths. Instead of relying on obviously fake websites, attackers are increasingly abusing trusted platforms, identity systems, and normal user behavior.
Modern users constantly move through login prompts, approval requests, meeting invites, file sharing notices, and consent screens. That familiarity is exactly what attackers exploit. OAuth is meant to let applications request access to user data without exposing passwords.
In practice, that means users often encounter prompts tied to apps, redirects, and permissions. If attackers can insert themselves into that flow, the experience feels far more legitimate than a traditional phishing page. That is what makes identity-based phishing so dangerous: it may look like a normal sign in, an app consent prompt, or a redirect inside a workflow the user already trusts.
Traditional phishing focused on fake brands and stolen passwords. The new playbook is built around legitimacy by appearance.
Attackers are increasingly abusing trusted services and cloud identity workflows to guide users through prompts they do not fully understand. That means a user can do what seems right, click a familiar link, follow a sign in flow, review a consent prompt, and still enable an attack. Many organizations still focus awareness training on obvious suspicious emails. The harder challenge now is helping users recognize when a real platform is being used in a malicious way.
There are three main reasons this model works.
First, it blends in. A trusted login page or redirect chain draws less suspicion than a fake website
Second, it bypasses user instincts. Many employees know not to type credentials into a suspicious looking site, but fewer know how to evaluate a consent prompt, app publisher, redirect behavior, or unusual permissions request.
Third, OAuth abuse can give attackers more durable access. Malicious or risky OAuth applications can be used to access data, automate malicious behavior, or maintain a foothold in cloud environments in ways traditional credential focused defenses may miss. This is not just phishing with a new look. It is phishing adapted to how modern cloud environments actually work.
The biggest lesson is simple: trusting the platform is no longer enough.
Security teams cannot assume that a familiar sign in experience, app approval screen, or redirect sequence is inherently safe. Users now spend much of their day inside cloud ecosystems built on federated identity, third party app access, and delegated permissions. Attackers know that.
That means organizations need to widen their definition of phishing. It is no longer limited to fake login pages, credential harvesting, and suspicious attachments. It also includes malicious consent requests, abused OAuth applications, deceptive redirects inside real authentication flows, and identity driven delivery of malware or post click attacks.
Awareness still matters, but it needs to evolve.
Users should be trained not only to avoid suspicious links, but also to question unexpected permission requests. unusual app prompts and redirects that seem out of place.
Organizations should also focus on tighter governance over app consent, better monitoring of risky OAuth apps, careful review of delegated permissions, and stronger correlation of email, identity, and endpoint signals.
The larger shift is clear: identity security and phishing defense are no longer separate conversations.
Phishing has not disappeared. It has matured.
Attackers are increasingly abusing the same trusted systems employees use every day. OAuth redirect abuse shows where phishing is headed: less obviously fake, more context aware, and harder for users to spot in the moment.
The organization that adapts fastest will stop asking, "Would our users fall for a fake login page?" and start asking, "Could we detect abuse inside a legitimate authentication flow?"