OAuth Consent Phishing.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant. Pertenece a la categoría de Ataques y amenazas en ciberseguridad.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant.

OAuth consent phishing — also called 'illicit consent grant' — bypasses MFA and password security entirely by abusing legitimate identity flows. The attacker registers a third-party application in a target identity provider (Microsoft Entra ID, Google Workspace, Okta, GitHub) with broad permission scopes such as Mail.Read, Files.Read.All, or repo. They then send the victim a real OAuth authorization URL hosted on the IdP's domain ('login.microsoftonline.com', 'accounts.google.com') — TLS-pinned, MFA-honored, and bearing the IdP's branding. The victim clicks 'Accept', the IdP issues the attacker a refresh token, and the attacker can read mail, exfiltrate files, and post on the victim's behalf for as long as the consent stands, with no further authentication challenge. This was the technique behind Pawn Storm/APT28's 2016–2017 campaigns and remained the top-trending Entra ID risk in 2024–2025. Defenses include tenant policies that require admin approval for third-party apps, allowlists of pre-approved publishers, periodic revocation reviews, and user training to inspect the displayed permissions and publisher before clicking accept.

Las defensas contra OAuth Consent Phishing combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

Nombres alternativos comunes: Illicit consent grant, Application consent attack.