![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 22%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Exchange Online
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 69%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
Hi @IngallsPW1
I appreciate you sharing this and sincerely apologize for your experience with this issue.
First, I’d like to clarify that this is a user‑to‑user support forum. Moderators participating here do not have access to backend systems, nor can we directly intervene in Microsoft product functionality. Our role is limited to providing technical guidance and sharing best‑practice recommendations based on reported issues, requests, and scenarios.
You may first refer to Anthony Lee’s response. Based on my research, this behavior appears to be related to a phishing technique that Microsoft has recently confirmed.
In this scenario, a link can genuinely point to a real Microsoft sign‑in page, but then redirect the browser to a malicious site if the sign‑in attempt is triggered in a specific way. Microsoft has confirmed that this behavior is by design in the OAuth standard and is currently being exploited by attackers.
Reference: OAuth redirection abuse enables phishing and malware delivery | Microsoft Security Blog
To mitigate this, you might need to focus on risk reduction and user awareness. At this time, I would recommend advising users to avoid signing in from links embedded in emails, even when the link appears to point to a legitimate Microsoft sign‑in page.
If a sign‑in is required, users should open a new browser tab and navigate directly to https://portal.office.com or https://login.microsoftonline.com
Additionally, since this behavior relates to identity and email security within your tenant, you may want to work with your internal Security team to review sign‑in activity and strengthen controls around OAuth application consent and email filtering.
I hope this helps, and if you have any additional concerns, feel free to comment below. I would be more than happy to assist.
Note: Please follow the steps in [our documentation] to enable e-mail notifications if you want to receive the related email notification for this thread.