OAuth phishing / consent phishing
An attack that tricks a user into granting a malicious third-party app persistent OAuth access to their mailbox, files, or workspace — bypassing MFA entirely.
OAuth phishing — also called consent phishing or illicit consent grant — is an attack in which the user is steered onto a real Microsoft or Google OAuth consent screen for an attacker-controlled app, and persuaded to click Allow. The user’s password and MFA never leave the legitimate identity provider, so detection layers tuned for credential theft see nothing wrong. What they grant is an OAuth token that lets the malicious app read mail, exfiltrate Drive content, send on behalf of the user, or maintain that access for as long as the token isn’t revoked.
Defining properties:
- MFA-irrelevant. The user authenticates to the real Microsoft or Google. The token is then issued normally. Push, TOTP, even FIDO2 keys do not block the grant — they grant it.
- Persistent. Refresh tokens commonly last months. A password reset does not revoke them; only an explicit token revocation does.
- Filter-quiet. Subsequent API calls come from Microsoft / Google IP space with valid tokens — they look nothing like a credential-theft alert.
- Reuses brand trust. The consent screen is a real Microsoft / Google UI; the attacker only controls the app name and the requested scopes.
The 2021 Microsoft “OAuth phishing” advisory and subsequent threat-actor activity (Storm-0558 and others) elevated the technique from theoretical to standard tradecraft. Defenders typically respond with admin consent policies, app verification requirements, and tenant-wide restrictions on which apps can request which scopes — but these controls live or die on whether the catalog and the policy are kept up to date.
The behavioral layer matters because the residual is exactly what gets through: a benign-looking productivity tool requesting “read your mail” or “read your files,” scoped just narrowly enough that no admin policy blocks it. The defensive lever is recognition — through targeted simulation and a same-second nudge at the moment of grant — that any OAuth consent screen requesting mailbox, file, or send-as scope deserves the same scrutiny as a credential page. See also OAuth grant for the underlying SaaS risk pattern and shadow IT for the broader catalogue of unmanaged-app exposure.
Related terms
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- Spear-phishingA targeted phishing attack crafted for a specific person or small group, using public OSINT to reach a credibility that bulk phishing cannot achieve.
- OAuth grantAn access token a user issues to a third-party application via OAuth, giving that app standing permission to read or write data inside another SaaS — often beyond MFA, often forever.
- Multi-factor authentication (MFA)An authentication scheme that requires two or more independent factors — something you know, have, or are — to verify a user, raising the cost of credential theft.
- Shadow ITSoftware, SaaS, or cloud services in use inside an organization without IT or security approval — invisible to inventory, unmanaged, and rarely off-boarded.