OAuth Consent Phishing.

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant. 它属于网络安全的 攻击与威胁 分类。

An identity attack that abuses the OAuth consent flow: instead of stealing a password, the attacker tricks the victim into granting their malicious app standing permissions (mail.read, files.read.all) on the victim's tenant.

OAuth consent phishing — also called 'illicit consent grant' — bypasses MFA and password security entirely by abusing legitimate identity flows. The attacker registers a third-party application in a target identity provider (Microsoft Entra ID, Google Workspace, Okta, GitHub) with broad permission scopes such as Mail.Read, Files.Read.All, or repo. They then send the victim a real OAuth authorization URL hosted on the IdP's domain ('login.microsoftonline.com', 'accounts.google.com') — TLS-pinned, MFA-honored, and bearing the IdP's branding. The victim clicks 'Accept', the IdP issues the attacker a refresh token, and the attacker can read mail, exfiltrate files, and post on the victim's behalf for as long as the consent stands, with no further authentication challenge. This was the technique behind Pawn Storm/APT28's 2016–2017 campaigns and remained the top-trending Entra ID risk in 2024–2025. Defenses include tenant policies that require admin approval for third-party apps, allowlists of pre-approved publishers, periodic revocation reviews, and user training to inspect the displayed permissions and publisher before clicking accept.

针对 OAuth Consent Phishing 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Illicit consent grant, Application consent attack。