OAuth Consent Phishing.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant. Относится к категории Атаки и угрозы в кибербезопасности.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant.

OAuth consent phishing — also called 'illicit consent grant' — bypasses MFA and password security entirely by abusing legitimate identity flows. The attacker registers a third-party application in a target identity provider (Microsoft Entra ID, Google Workspace, Okta, GitHub) with broad permission scopes such as Mail.Read, Files.Read.All, or repo. They then send the victim a real OAuth authorization URL hosted on the IdP's domain ('login.microsoftonline.com', 'accounts.google.com') — TLS-pinned, MFA-honored, and bearing the IdP's branding. The victim clicks 'Accept', the IdP issues the attacker a refresh token, and the attacker can read mail, exfiltrate files, and post on the victim's behalf for as long as the consent stands, with no further authentication challenge. This was the technique behind Pawn Storm/APT28's 2016–2017 campaigns and remained the top-trending Entra ID risk in 2024–2025. Defenses include tenant policies that require admin approval for third-party apps, allowlists of pre-approved publishers, periodic revocation reviews, and user training to inspect the displayed permissions and publisher before clicking accept.

Защита от OAuth Consent Phishing обычно сочетает технические меры и операционные практики, как описано в определении выше.

Распространённые альтернативные названия: Illicit consent grant, Application consent attack.