OAuth Consent Phishing.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant. サイバーセキュリティの 攻撃と脅威 カテゴリに属します。

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant.

OAuth consent phishing — also called 'illicit consent grant' — bypasses MFA and password security entirely by abusing legitimate identity flows. The attacker registers a third-party application in a target identity provider (Microsoft Entra ID, Google Workspace, Okta, GitHub) with broad permission scopes such as Mail.Read, Files.Read.All, or repo. They then send the victim a real OAuth authorization URL hosted on the IdP's domain ('login.microsoftonline.com', 'accounts.google.com') — TLS-pinned, MFA-honored, and bearing the IdP's branding. The victim clicks 'Accept', the IdP issues the attacker a refresh token, and the attacker can read mail, exfiltrate files, and post on the victim's behalf for as long as the consent stands, with no further authentication challenge. This was the technique behind Pawn Storm/APT28's 2016–2017 campaigns and remained the top-trending Entra ID risk in 2024–2025. Defenses include tenant policies that require admin approval for third-party apps, allowlists of pre-approved publishers, periodic revocation reviews, and user training to inspect the displayed permissions and publisher before clicking accept.

OAuth Consent Phishing に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Illicit consent grant, Application consent attack。