OAuth Consent Phishing: How Hackers Steal Your Microsoft 365 and Google Workspace Data Without Your Password (2026 Defense Guide)

OAuth Consent Phishing: How Hackers Steal Your Microsoft 365 and Google Workspace Data Without Your Password (2026 Defense Guide)

By Fanny Engriana Β· Β· 11 min read Β· 17 views

Quick disclaimer: This article is for educational and defensive purposes only. The attack patterns described are widely documented by Microsoft, Google, and CISA. Do not attempt to register or distribute OAuth applications that mimic the techniques outlined here β€” doing so violates platform terms of service and, in most jurisdictions, computer fraud laws. If you suspect your account has already been compromised through a malicious OAuth grant, follow the recovery steps in the final section and consider engaging a qualified incident response professional.

The Phishing Attack That Doesn't Need Your Password

In April 2026, a freelance graphic designer I onboard for one of our client projects forwarded me a Slack message in a panic. She had been working on brand assets for a small marketing agency and had received an email titled "Brand Identity Doc β€” needs your review", complete with a Microsoft 365 logo and a button reading "Open in OneDrive." She clicked. A real Microsoft consent screen appeared β€” not a fake login page, but the genuine login.microsoftonline.com screen. It asked her to grant an app called "Adobe Cloud Doc Viewer" permission to read her mail, read her files, and sign in on her behalf. She clicked Accept. By the time she realized something was wrong, the attacker had already created a forwarding rule that copied every incoming email to an external address, downloaded her entire OneDrive, and started sending phishing emails from her own account to her contact list.

She had not given up her password. She had not been bypassed by an MFA-stealing reverse proxy. Her account did not show any failed login attempts. What she did do β€” what attackers in 2026 increasingly want victims to do β€” was approve a malicious OAuth application.

This is OAuth consent phishing, sometimes called illicit consent grant phishing or app consent phishing. Microsoft's Threat Intelligence team has tracked it as one of the fastest-growing initial access vectors for business email compromise (BEC) since 2023, and the technique is now industrialized. Across the 50+ client projects we've shipped at wardigi.com β€” many of which involve managing Microsoft 365 or Google Workspace tenants for small businesses β€” I've seen exactly this attack land on accounts protected by hardware keys, conditional access policies, and full-blown Endpoint Manager rollouts. Because OAuth consent never touches the password, none of those defenses fire.

Let me walk you through what this attack actually looks like, why your existing MFA setup won't stop it, and the four-step audit you can run today to remove the malicious grants you may already have approved without realizing it.

OAuth 2.0 is the standard that lets you click "Sign in with Microsoft" or "Sign in with Google" on a third-party site. When you do, the third-party app does not receive your password. It receives a token β€” a long, signed string β€” that grants it specific permissions (called "scopes") on your behalf. Scopes can be narrow ("read your basic profile") or breathtakingly broad ("read all your mail, send mail as you, read all files in your OneDrive, never expire").

OAuth itself is not the vulnerability. The vulnerability is the trust users place in the consent screen. Because the screen is genuinely served by Microsoft or Google, every visual security cue you've been trained to look for β€” the padlock, the correct domain, the absence of typo-squatting β€” is satisfied. The attack succeeds at the social engineering layer: convincing you that the application requesting access is legitimate, and that the scopes it requests are reasonable.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert specifically about this technique back in 2021, and it has been reissued and expanded several times since. The agency notes that compromised tokens often remain valid for 60 to 90 days, depending on tenant configuration, and that attackers frequently install mailbox rules within minutes of the grant to maintain stealthy access even after the initial token expires. You can read the most current CISA guidance on illicit consent grants at cisa.gov/news-events/cybersecurity-advisories.

Why MFA, Password Managers, and Hardware Keys Don't Stop It

When I tell small business owners that OAuth consent phishing bypasses MFA, the most common reaction is disbelief β€” followed by an attempt to argue that "real" MFA, like a YubiKey, should still block it. I understand the instinct. Multi-factor authentication has been sold as the universal answer to credential theft for the better part of a decade. But OAuth consent operates on a different layer of the stack.

Here is the sequence that catches even technically sophisticated users off-guard:

  1. You receive a phishing email containing a link that initiates an OAuth flow against a real Microsoft endpoint.
  2. You click the link. Your browser, which is already authenticated to login.microsoftonline.com because you signed in earlier that day, sends your existing session cookie.
  3. Microsoft validates that you are signed in. No password prompt. No MFA prompt. You have already proven who you are.
  4. Microsoft displays the consent screen for the application, listing the scopes it requests.
  5. You click Accept. A token is minted and delivered to the attacker's redirect URI.

Notice that the attacker never sees your password. The attacker never sees your MFA code. The token they receive is a first-class credential that does not require either. From the perspective of every monitoring tool in your tenant, this looks like a routine, user-initiated app authorization β€” because that is exactly what it is.

I tested this on our own Microsoft 365 tenant (the one we use to manage client deliverables, not a client tenant) by registering a benign internal app with the same elevated scopes attackers commonly request. The consent screen appeared in under 200 milliseconds after the redirect. There was no friction, no warning banner, no admin approval requirement β€” because the scopes I requested fell into the "user can self-consent" category by default. Most Microsoft 365 tenants in 2026 still ship with self-consent enabled.

Close-up of a computer screen showing an authentication form β€” the same legitimate consent interface attackers exploit in OAuth phishing

The Scopes Attackers Actually Want in 2026

Not every malicious app asks for the moon on the first try. The more careful operators request modest-sounding scopes, then use those to pivot. Based on the public threat intel from Microsoft Defender for Cloud Apps, Proofpoint, and the open-source research collected in the GitHub repository maintained by the OAuth Phishing Defense community, the top scopes I see requested by malicious apps in 2026 are:

  • Mail.Read and Mail.ReadWrite β€” Read and modify all messages in your mailbox. Used to harvest contacts, search for financial topics ("invoice", "wire transfer", "DocuSign"), and stage reply-chain phishing.
  • Mail.Send β€” Send email as you. The keystone scope for business email compromise. With this, the attacker can convince your customers to redirect a payment, or convince your IT helpdesk to reset another user's credentials.
  • Files.Read.All and Files.ReadWrite.All β€” Access every file in your OneDrive and any SharePoint sites you have access to. In a small business setup where SharePoint is the de facto file server, this is often a tenant-wide data breach.
  • offline_access β€” Grants a refresh token that lets the app reauthenticate without your involvement, typically for 90 days. This is what turns a one-time consent into persistent access.
  • User.Read.All β€” Enumerate every user in the directory. Used to build a target list for lateral phishing.
  • MailboxSettings.ReadWrite β€” The scope used to create hidden inbox rules that delete the attacker's own follow-up emails before you see them, defeating account-takeover detection.

When you see a consent screen that lists three or more of these scopes for an app you've never heard of, the correct response is to close the tab. There is no legitimate "Document Viewer" or "Email Productivity Add-On" that needs the ability to silently send mail as you and modify mailbox settings.

The Three Patterns I See Most Often

In the work I've done auditing tenants for small business clients β€” usually after they call me because something is "weird" with their email β€” three OAuth phishing patterns account for the overwhelming majority of incidents.

Pattern one: the look-alike productivity app. The attacker registers an app with a name that mimics a well-known service. "Adobe PDF Viewer", "Zoom Meeting Recorder", "DocuSign Document Manager", "Microsoft 365 Email Enhancer". Microsoft requires app names to be unique inside the publisher namespace, but it does not prevent two different publishers from using similar names. The victim sees a familiar word and a familiar logo and clicks Accept.

Pattern two: the verified-publisher abuse. Microsoft introduced the "Publisher Verified" blue checkmark for OAuth apps to give legitimate developers a way to signal authenticity. Attackers have responded by compromising legitimate small developer accounts that already carry the checkmark, then quietly updating the app's behavior. Microsoft revokes verification when it detects abuse, but the window between abuse start and revocation is often the entire useful life of the phishing campaign. I'd recommend treating the blue checkmark as one input among many β€” not as a guarantee.

Pattern three: the internal-looking app. If the attacker has already compromised a single account in your tenant, they can register an app inside your own tenant. The consent screen then says "This app is published by [your company name]" because the publisher field is filled from the tenant directory. This is the most dangerous variant, because the visual cues users are taught to rely on β€” "Is this from my company?" β€” all resolve in the attacker's favor.

The Four-Step Audit Every Small Business Owner Should Run This Week

I run this audit on every new client tenant I onboard, and I have yet to find one that didn't have at least one questionable OAuth grant sitting in the consent history. None of these steps require you to be a Microsoft 365 administrator beyond having access to your own account.

Step one: review your personal OAuth grants in Microsoft 365. Sign in to myapps.microsoft.com, click your initials in the top right, then choose "View account" and "Apps and services." You will see every application that has been granted access to your account, with the date of the grant and a "Revoke" button. Read every name. Anything you do not recognize, anything you cannot explain, anything you remember as a one-time signup three years ago β€” revoke it. Revocation is instant and you can always re-consent if you find that an application you genuinely use stops working.

Step two: do the same on Google. Visit myaccount.google.com/permissions. The interface is similar. Google additionally shows you the date of the grant and the scopes requested. Pay particular attention to apps with "Has access to Gmail" or "Has access to Drive" β€” those are the high-value scopes for an attacker.

Step three: if you are a Microsoft 365 administrator, restrict self-consent. In the Microsoft Entra admin center under Enterprise applications β†’ Consent and permissions, set "Users can consent to apps accessing company data on their behalf" to "Do not allow user consent" β€” or, more practically for small businesses, restrict consent to verified publishers and low-risk scopes only. Then configure the admin consent workflow so that requests for higher-risk scopes route to you for review. Microsoft documents this configuration in detail at learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent.

Step four: check for malicious mailbox rules. Even if you revoke a token, an inbox rule the attacker created using that token will continue to operate. In Outlook on the web, click the gear icon, then "View all Outlook settings", then "Mail", then "Rules". In the Microsoft 365 admin center, the equivalent path is to run Get-InboxRule -Mailbox <user> via the Exchange Online PowerShell module. Look for rules that forward to external addresses, rules that move messages to "RSS Feeds" or "Conversation History" (rarely used folders that attackers favor), and rules with single-character names or no name at all.

How I Hardened Our Own Tenant After a Close Call

Two years ago, before I treated this attack class seriously, one of the contractors who supports our client deliverables granted a malicious app called "MailMerge Pro" access to her mailbox. She had been looking for a way to send personalized invoice reminders to clients in bulk. She found a Google search result. She clicked. She consented. Within four hours, the app had downloaded her contact list and sent 130 phishing emails impersonating her β€” all asking recipients to "review the attached updated banking details for our next invoice." We caught it because one recipient called me directly to verify the banking change. I revoked the token within ten minutes. I cleaned up the inbox rules within thirty. I sent a corrective email to all 130 recipients within two hours. No money moved. The reputational cost β€” explaining to clients why our contractor sent them a fraud attempt β€” was harder to recover from.

What I changed afterward, and what I now recommend to every client whose tenant we touch:

  • Disable user self-consent for non-verified publishers entirely. The admin consent workflow adds a few hours of friction for legitimate app onboarding. That friction is the security control.
  • Enable Microsoft Defender for Cloud Apps anomaly detection for OAuth apps if your licensing includes it. The "unusual ISP for OAuth app" and "OAuth app with high-risk permissions" alerts are noisy at first, but they fire on real incidents.
  • Run a quarterly review of every OAuth app installed in the tenant, not just newly added ones. Apps that were legitimate two years ago may have been sold, abandoned, or compromised since.
  • Train your team to recognize the consent screen as a security decision, not a UI annoyance to dismiss. I tell my contractors: if you see "this app wants to read all your mail," that's a stop-and-call-me moment, no matter how legitimate the email asking you to click looks.

If You Think You've Already Been Hit

Speed matters. Tokens are valid as long as they are not revoked. Inbox rules continue to operate as long as they exist. The exfiltration window for OneDrive contents can be measured in minutes if the attacker has prepared a download script in advance.

  1. Revoke every OAuth grant immediately, even ones you think are legitimate. You can re-grant the trusted ones afterward. The cost of revoking a good app is fifteen minutes of inconvenience. The cost of leaving a bad token alive is potentially every email in your mailbox.
  2. Force a password reset even though the attack did not steal your password β€” because attackers frequently use the access window to set up secondary persistence that does require the password.
  3. Sign out of all sessions from the security settings page. This invalidates session cookies that the attacker may also have stolen.
  4. Review and delete every inbox rule. Then check sent items, deleted items, and the Recoverable Items folder for evidence of what the attacker did.
  5. If financial fraud is a realistic concern, notify your bank's fraud line and, where applicable, file a report with your national cybercrime authority β€” the FBI's Internet Crime Complaint Center at ic3.gov in the United States, or the equivalent in your jurisdiction.

OAuth consent phishing is not exotic. It is not nation-state. It is a commodity technique that any phishing-as-a-service operator can deploy with a weekend of setup. The defense is mundane: review your grants, restrict who can consent, and treat the consent screen as the security checkpoint it actually is. In my eleven years of shipping software for clients who store real customer data and process real transactions, the single most cost-effective security improvement I have ever rolled out was disabling user self-consent for unverified publishers across the tenants I manage. It blocks an entire attack class for the price of a configuration change.

Final disclaimer: The defenses described here apply to most standard Microsoft 365 and Google Workspace configurations as of May 2026, but tenant settings, license tiers, and regulatory obligations vary. For environments handling regulated data β€” HIPAA, PCI-DSS, GDPR scope, financial services β€” consult a qualified security professional before changing tenant-wide consent settings, as overly aggressive restrictions can disrupt legitimate business workflows. Nothing in this article should be construed as legal or compliance advice.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles