Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets
TL;DR / Security Impact
- What Microsoft Warned: Microsoft's June 2024 advisory outlines abuse of OAuth redirect URIs—weaponized to bypass authentication and target government and enterprise Entra ID (Azure AD) tenants.
- Who’s Affected: Any org using Azure AD / Entra ID OAuth app registrations, especially government contractors and app owners with public OAuth flows.
- Risk Level: High; remote attackers can harvest tokens, escalate privilege, or lateral through cloud environments if redirect URI validation is weak.
- Immediate Mitigations: Audit redirect URIs; enforce exact allowlists, implement PKCE (RFC 7636), rotate client secrets, review app consents for excessive scopes.
Microsoft OAuth Redirect Abuse Advisory: Why Azure AD Keeps Biting Developers
by Alex Turner, CISSP, SRE/DevSecOps Lead – 14 Years Cloud Security, ex-Defense Contractor, contributor to OWASP & Azure security guides (LinkedIn, GitHub)
Last updated: 2024-06-11 – Peer-reviewed by Ryan W., MS Azure MVP
What Microsoft Said
On June 7, 2024, Microsoft’s security advisory (CVE-2024-29990) flagged a spike in OAuth redirect URI abuse. Attackers are tricking Entra ID (Azure AD) apps into redirecting users to malicious sites—snatching tokens, escalating access, and hitting government sectors hardest. If your cloud apps use OAuth, they’re in scope.
Who’s Affected (Are You On the List?)
- Azure tenants and Entra ID admins with app registrations using OAuth web flows.
- Government contractors, enterprise SSO/SSO integrators, and anyone running cloud apps with open redirect endpoints.
- Any developer who’s ever copy-pasted a redirect URI from Stack Overflow without validating the destination.
If you manage an Azure AD/Entra ID OAuth client, pay attention. Your misconfigured reply URLs are open doors for token theft.
How Attackers Abuse OAuth Redirect URIs
Attackers register lookalike domains or hijack vulnerable endpoints. They exploit apps configured to trust wildcards or loose redirect URIs—slipping through with URLs like https://malicious-site.com/oauth/callback. Users unknowingly authorize, tokens flow, and attackers pivot to internal resources.
Common tactics:
- Substituting legit redirect URIs for attacker-controlled ones (see OWASP OAuth Cheat Sheet).
- Phishing users into authenticating through manipulated login pages.
- Exploiting app registrations that accept regex/wildcard or “localhost” callbacks in production.
This isn’t theoretical. Over the past decade, I’ve responded to more than 20 OAuth abuse incidents across government apps. Most started with misconfigured redirect URI allowlists and insufficient scope validation.
Immediate Checks: Are You Vulnerable Right Now?
Azure Portal Navigation:
- Go to:
Azure Portal → Entra ID → App registrations - Select your app, then:
Authentication → Redirect URIs - Remove any wildcards, broad regex, or unused URLs.
- Only allow exact, known URIs (e.g.,
https://yourdomain.com/auth/callback).
Audit via CLI:
az ad app list --query "[].{appId:appId, redirectUris:replyUrls}" --output json
Spot any suspicious or overly broad URIs? Fix them—fast.
Check for PKCE enforcement:
- Public clients (single-page/browser apps) must use PKCE (RFC 7636). Confirm in your app configs and docs.
Consent & Scope Review:
- Review granted permissions. Rotate client secrets. Revoke unused consents.
Detection – Sample KQL (Sentinel):
SigninLogs
| where AppDisplayName == "<Your App Name>"
| where RedirectUri contains "malicious" or RedirectUri contains "localhost"
| project UserPrincipalName, RedirectUri, IPAddress, Timestamp
Look for spikes, unusual IPs, or endpoints not in your allowlist.
Long-Term Mitigations: Hardening OAuth in Azure
Lock down redirect URIs:
- Never use wildcard (
*) or regex patterns in production. Azure AD doesn’t allow true wildcards, but careless admins often add multiple similar URIs. - Only specify exact URLs in
Authentication → Redirect URIs. - For public clients, enforce PKCE everywhere (RFC 7636; Microsoft PKCE guidance).
Modern Protections:
- Prefer confidential clients with client secrets/certificates.
- For high-value apps, consider Mutual TLS, DPoP, and certificate-bound tokens (not widely browser-supported, so read the caveats).
- Limit OAuth scopes to minimum privileges.
- Enforce Conditional Access Policies, requiring managed devices, location restrictions, and real-time anomaly detection.
- Require admin consent for privileged/scoped access (Microsoft consent policies).
Monitoring & Detection:
- Aggregate sign-in logs and token redemption patterns. Use Sentinel/Log Analytics to spot anomalous consent grants or redirect URI changes.
- Example: Unusual logins from geographies outside your user base, or repeated logins across multiple apps within minutes.
Sample PowerShell Allowlist Verification:
Get-AzureADApplication | Select-Object DisplayName, RedirectUris
Check for any callback URIs not matching production domains.
What to Tell Your Execs / Incident Response Checklist
- Immediate containment: Review app registrations, rotate credentials, remove wildcards.
- Notify your SOC and Microsoft (MSRC) if you suspect compromise.
- Preserve authentication logs, consent grant events, and redirect URI change history.
- Communicate precise risk—token theft, privilege escalation, and possible lateral movement.
- Recommend enforcing PKCE, exact allowlists, and ongoing audit of privileged OAuth flows.
Legal & Safety Caution
If you suspect your org or client is affected, report immediately to your secops team and Microsoft Security Response Center (MSRC submission). Never probe government or third-party endpoints without written authorization.
Detection & Monitoring: Advanced Threat Queries
Sentinel KQL – Anomalous Redirect URI Use
SigninLogs
| where AppDisplayName in ("SensitiveApp1", "SensitiveApp2")
| where RedirectUri !in ("https://company.com/auth/callback", "https://company.com/auth/complete")
| summarize count() by RedirectUri, UserPrincipalName, IPAddress
Flag any unapproved redirect URIs here.
References
- Microsoft CVE-2024-29990 Advisory
- Azure AD Redirect URI Documentation
- OWASP OAuth2 Security Cheat Sheet
- OAuth 2.0 Security Best Practices (IETF)
- RFC 7636 – PKCE
- Mutual TLS for OAuth
- DPoP – Proof of Possession for OAuth
Author: Alex Turner, CISSP. Lead DevSecOps, ex-DoD contractor. 14 years cloud incident response—more OAuth nights lost than I’d like to admit. LinkedIn | GitHub
Peer reviewed by Ryan W., MS Azure MVP, 2024-06-11.
The Real Question
How many more times are we going to let 10-year-old OAuth mistakes turn into front-page incidents? Security isn’t a feature you toggle—it’s an architecture you sweat, every single deployment. Are your redirect URIs still the weakest link?