The New Phishing Click: How OAuth Consent Bypasses MFA
In February 2026, a phishing-as-a-service (PhaaS) platform named EvilTokens emerged, swiftly compromising over 340 Microsoft 365 organizations across five countries within five weeks. Victims received messages prompting them to enter a short code at microsoft.com/devicelogin and complete their usual multi-factor authentication (MFA) challenge. Unbeknownst to them, this process granted attackers valid refresh tokens with extensive access to their mailboxes, drives, calendars, and contacts. These tokens, governed by tenant policies, had lifespans extending beyond typical sessions.
Remarkably, the attackers never required passwords, never triggered additional MFA prompts, and their activities didn’t generate sign-in events indicative of intrusions. This success stemmed from users’ habitual acceptance of OAuth consent screens and the oversight of consent layers by traditional credential phishing defenses.
Understanding OAuth Consent Phishing
Security experts term this phenomenon consent phishing or OAuth grant abuse. Historically, phishing attacks aimed to extract passwords; now, a single click can hand over a refresh token, effectively bypassing many organizations’ identity controls.
Why MFA Fails to Detect OAuth Grants
Traditional credential phishing involves capturing usernames and passwords, which, when replayed, typically prompt MFA challenges. Even advanced adversary-in-the-middle (AiTM) attacks produce session cookies linked to sign-in events that security information and event management (SIEM) systems can correlate with user behavior.
In contrast, an OAuth grant doesn’t involve replayed credentials. The user authenticates through the legitimate identity provider, completes the MFA challenge on the official domain, and clicks Accept. The resulting token, signed by the identity provider and scoped to the user’s consent, is refreshable. Since MFA has already been completed, it cannot block this process.
Furthermore, refresh tokens extend the attack window. Tokens issued by platforms like EvilTokens remain valid for weeks or months, depending on tenant configurations. Resetting passwords doesn’t invalidate these grants; only explicit revocation or conditional access policies demanding re-consent can terminate them.
The Normalization of Consent
The risk associated with OAuth consent has escalated due to environmental changes. Users are now conditioned to swiftly click through consent screens, much like they do with cookie banners. The proliferation of AI agents, productivity integrations, and browser extensions has inundated users with legitimate consent requests. Consequently, the volume of consent prompts a knowledge worker encounters monthly surpasses previous expectations.
The language used in consent scopes often downplays the actual risk. For instance, a scope labeled Read your mail might seem limited but can grant access to every message, attachment, and shared thread the user can access. Similarly, Access files when you’re not present implies a long-lived token issued without the user being available to revoke it. This disconnect between consent language and operational reach creates a fertile ground for attackers.
Formation of Toxic Combinations
A single OAuth consent can provide an attacker with a foothold in one application. However, the real danger arises when these footholds intersect.
Consider a scenario where a finance employee grants an AI meeting summarizer access to their calendar and mailbox. Later, the same employee allows a productivity assistant access to the company’s shared drive. A third grant connects a CRM enrichment tool to the customer database. Each grant was approved individually, without any application owner authorizing the combination. This results in a toxic combination, where the compromise of one application can cascade across multiple systems through a single user identity.
Such combinations exist outside the purview of any single application’s audit log, making them challenging to detect.
Steps to Mitigate OAuth Consent Risks
Addressing this issue requires treating OAuth consent with the same rigor as authentication processes. Key areas to review include:
– OAuth Application Inventory: Maintain a continuously updated list of third-party apps holding refresh tokens in the tenant.
– Grant Age and Re-Consent: Identify tokens issued over 30 days ago without re-consent and surface them for review.
– Cross-Application Identities: Flag identities holding grants across three or more SaaS applications for further examination.
– Agent and Integration Bridges: Monitor AI agents and integrations that bridge systems without explicit authorization.
– Conditional Access on Consent: Implement policies that trigger on consent events, not just sign-in events.
– Token-Level Revocation: Develop playbooks to revoke individual OAuth tokens without suspending the user.
While procedural discipline is essential, the rapid formation of these bridges necessitates continuous monitoring of the runtime layer where they occur.
Role of AI Security Platforms
Emerging platforms are designed to address these challenges automatically. They map every OAuth grant, AI agent, and third-party integration into the identity graph upon issuance, rather than waiting for periodic audits. This approach surfaces bridges, unused tokens, and policy deviations as part of a continuous operational queue.
For example, Reco integrates AI agent security, identity governance, and threat detection into a unified control plane. Its Identity Knowledge Graph connects human and non-human identities to the applications, OAuth grants, and integrations they can access across the SaaS environment.
The platform continuously discovers AI agents and OAuth grants as they appear, maps each scope back to the approving identity, monitors behavior for policy deviations, and revokes access at the token level rather than at the user account. This provides security teams with visibility into the runtime layer where these trust relationships form.
Consent phishing is poised to become a more prominent threat. While phishing-resistant authentication has received significant investment and scrutiny, the consent layer still operates largely on trust. �
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
