OAuth Phishing

OAuth phishing, also known as consent phishing or illicit consent grant attack, exploits the OAuth 2.0 authorization framework. Instead of stealing a password, the attacker registers a malicious third-party application and directs the victim to a legitimate OAuth consent screen — often hosted on microsoft.com or accounts.google.com — asking them to grant permissions such as reading email, accessing contacts, or managing files. If the victim consents, the attacker receives a persistent OAuth token granting access to the victim's account.

OAuth tokens are independent of the user's password and survive password resets, making this a preferred persistence mechanism in BEC and corporate espionage attacks. Because the consent prompt is served from a legitimate identity provider domain, it bypasses many phishing detection controls. Revocation requires explicit audit of authorized applications — an operational step most organizations lack the tooling or process to perform routinely. In Microsoft 365 environments, illicit consent grants have been used to exfiltrate email, calendar data, and SharePoint files for months after initial compromise.

The attacker registers an application in a cloud identity platform (Azure AD, Google Cloud) and crafts a phishing email with a link that initiates an OAuth authorization request. The link specifies the desired permission scopes — which may be broad (Mail.ReadWrite, Files.ReadWrite.All) or narrow to avoid raising suspicion. The victim authenticates to their real identity provider and is shown a consent prompt that appears to come from a legitimate service. Once consent is granted, the attacker's application receives an access token and, if offline_access was requested, a refresh token enabling long-term access. The malicious app remains authorized until explicitly revoked.