OAuth Consent Phishing.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant. It belongs to the Attacks & Threats category of cybersecurity.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant.

OAuth consent phishing — also called 'illicit consent grant' — bypasses MFA and password security entirely by abusing legitimate identity flows. The attacker registers a third-party application in a target identity provider (Microsoft Entra ID, Google Workspace, Okta, GitHub) with broad permission scopes such as Mail.Read, Files.Read.All, or repo. They then send the victim a real OAuth authorization URL hosted on the IdP's domain ('login.microsoftonline.com', 'accounts.google.com') — TLS-pinned, MFA-honored, and bearing the IdP's branding. The victim clicks 'Accept', the IdP issues the attacker a refresh token, and the attacker can read mail, exfiltrate files, and post on the victim's behalf for as long as the consent stands, with no further authentication challenge. This was the technique behind Pawn Storm/APT28's 2016–2017 campaigns and remained the top-trending Entra ID risk in 2024–2025. Defenses include tenant policies that require admin approval for third-party apps, allowlists of pre-approved publishers, periodic revocation reviews, and user training to inspect the displayed permissions and publisher before clicking accept.

Defences for OAuth Consent Phishing typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Illicit consent grant, Application consent attack.