{"id":96275,"date":"2026-06-03T06:00:58","date_gmt":"2026-06-03T00:30:58","guid":{"rendered":"https:\/\/exigotech.co\/au\/blog\/auto-draft"},"modified":"2026-06-01T14:47:54","modified_gmt":"2026-06-01T09:17:54","slug":"oauth-consent-phishing-in-microsoft-365","status":"publish","type":"post","link":"https:\/\/exigotech.co\/au\/blog\/oauth-consent-phishing-in-microsoft-365","title":{"rendered":"OAuth (Open Authorisation) Consent Phishing in Microsoft 365: How Attackers Are Bypassing MFA Without Stealing Passwords"},"content":{"rendered":"<p>Passwords and <a href=\"\/au\/services\/managed-it-services\/managed-cybersecurity-services\">multi-factor authentication<\/a> have long been seen as the foundation of business security.<\/p>\n<p>But attackers are now finding ways to bypass both, without stealing passwords at all.<\/p>\n<p>One growing threat is <a href=\"\/au\/blog\/cybersecurity-awareness-month-2025\">OAuth consent phishing<\/a>. This attack targets the way users grant access to third-party applications in Microsoft 365. Instead of tricking users into entering their password on a fake login page, attackers trick them into approving a malicious application.<\/p>\n<p>Once approved, that application can access emails, files, and other Microsoft 365 data using legitimate tokens.<\/p>\n<p>This makes the attack difficult to detect and dangerous for businesses that rely heavily on Microsoft 365.<\/p>\n<p>At Exigo Tech, we act as your <strong>Managed Intelligence Partner<\/strong>, delivering managed IT security services, expert-led IT security consulting, and specialised support from experienced IT security consultants and IT security specialists to help Australian organisations stay ahead of evolving threats like OAuth consent phishing.<script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"FAQPage\",\n  \"mainEntity\": [\n    {\n      \"@type\": \"Question\",\n      \"name\": \"What is OAuth consent phishing?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"OAuth consent phishing is a cyberattack where users are tricked into granting a malicious application access to Microsoft 365 data through OAuth permissions.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"Can OAuth consent phishing bypass MFA?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"Yes. Once a user grants consent to a malicious application, attackers can use legitimate OAuth tokens to access data without repeatedly triggering MFA.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"What data can attackers access through OAuth phishing?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"Attackers may gain access to emails, attachments, OneDrive files, SharePoint data, calendars, and internal communications.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"How can organisations prevent OAuth consent phishing?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"Organisations should restrict app consent permissions, implement security monitoring, educate users, and regularly review authorised applications.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"Why is OAuth consent phishing difficult to detect?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"The attack uses legitimate Microsoft authentication and access tokens, making malicious activity appear like normal authorised application usage.\"\n      }\n    }\n  ]\n}\n<\/script><\/p>\n<div class=\"latest-blog\"><div class=\"latestblognpost\"><em><b>Read More: <\/b><\/em><a href=\"https:\/\/exigotech.co\/au\/blog\/it-security-for-councils-protecting-public-services-data-and-community-trust\">IT Security for Councils: Protecting Public Services, Data, and Community Trust<\/a><\/div><\/div>\n<h2><strong>What Is OAuth Consent Phishing?<\/strong><\/h2>\n<p>OAuth is an authorisation protocol used by Microsoft 365 and many other platforms.<\/p>\n<p>It allows third-party applications to <a href=\"\/au\/services\/security\/essential-eight\">access user data<\/a> without requiring the user\u2019s password directly.<\/p>\n<p>For example, a CRM tool, project management platform, or email marketing system may request permission to access email, calendar, or files.<\/p>\n<p>In a legitimate scenario, this improves productivity.<\/p>\n<p>In an OAuth consent phishing attack, cybercriminals abuse the same process.<\/p>\n<p>They create a malicious application that looks trustworthy and trick users into granting it access. Once consent is given, the attacker\u2019s application may be able to:<\/p>\n<ul>\n<li>Read and search emails<\/li>\n<li>Access attachments<\/li>\n<li>Access files in OneDrive and SharePoint<\/li>\n<li>Monitor internal communications<\/li>\n<li>Create inbox rules to hide suspicious activity<\/li>\n<li>Maintain access even after a password change<\/li>\n<\/ul>\n<p>Because the access is granted through legitimate Microsoft tokens, MFA may not be triggered again after the initial consent.<\/p>\n<p>That is what makes this attack so effective.<\/p>\n<h3><strong>Why This Threat Is Growing<\/strong><\/h3>\n<p>OAuth consent phishing is not completely new, but it is becoming more common and more sophisticated.<\/p>\n<p>In May 2026, the FBI issued a public service announcement warning about Kali365, a phishing-as-a-service platform designed to capture OAuth tokens and gain <a href=\"\/au\/managed-cybersecurity-services-for-business-resilience\">persistent access to Microsoft 365 environments<\/a>.<\/p>\n<p>Researchers also reported that another platform, EvilTokens, compromised more than 340 Microsoft 365 organisations across five countries within five weeks of going live.<\/p>\n<p>This shows a clear shift in how attackers are targeting identity systems.<\/p>\n<p><a href=\"https:\/\/exigotech.co\/lp\/managed-services-health-check\/\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-96288\" src=\"https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/cta-oauth-consent-phishing-blog-062026-01.webp\" alt=\"CTA- Review Your Microsoft 365 Security Posture\" width=\"891\" height=\"211\" srcset=\"https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/cta-oauth-consent-phishing-blog-062026-01.webp 891w, https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/cta-oauth-consent-phishing-blog-062026-01-480x114.webp 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 891px, 100vw\" \/><\/a><\/p>\n<h3><strong>How the Attack Works<\/strong><\/h3>\n<p>OAuth consent phishing usually follows a simple but effective process.<\/p>\n<h4><strong>The Lure<\/strong><\/h4>\n<p>The attack often starts with a phishing email designed to create urgency.<\/p>\n<p><strong>Common examples include:<\/strong><\/p>\n<ul>\n<li>\u201cA document has been shared with you\u201d<\/li>\n<li>\u201cYour invoice requires approval\u201d<\/li>\n<li>\u201cIT requires you to verify your account\u201d<\/li>\n<li>\u201cNew voicemail message\u201d<\/li>\n<\/ul>\n<p>The link may take the user to a legitimate Microsoft authentication or consent page.<\/p>\n<p>This is one reason the attack is so convincing.<\/p>\n<h4><strong>The Consent Request<\/strong><\/h4>\n<p>Unlike traditional phishing, the user is not always taken to a fake login page.<\/p>\n<p>Instead, they may see a real Microsoft <a href=\"\/au\/services\/security\/zero-trust-security-assessment\">consent screen<\/a>.<\/p>\n<p><strong>The malicious application may request permissions such as:<\/strong><\/p>\n<ul>\n<li>Read<\/li>\n<li>ReadWrite<\/li>\n<li>Read.All<\/li>\n<li>offline_access<\/li>\n<\/ul>\n<p>The user may complete their normal MFA process and believe they have safely verified access.<\/p>\n<p>But in reality, they have approved a malicious application.<\/p>\n<h4><strong>Silent Access and Persistence<\/strong><\/h4>\n<p>Once consent is granted, the attacker receives OAuth access and refresh tokens.<\/p>\n<p>These tokens can allow API-level access to Microsoft 365 resources without exposing the user\u2019s password.<\/p>\n<p>Password resets may not remove this access.<\/p>\n<p>Only explicit revocation or stronger conditional access controls can close the gap.<\/p>\n<div class=\"latest-blog\"><div class=\"latestblognpost\"><em><b>Read More: <\/b><\/em><a href=\"https:\/\/exigotech.co\/au\/blog\/it-health-check-for-healthcare\">IT Health Check for Healthcare: Improving Security, Performance, and Continuity of Care<\/a><\/div><\/div>\n<h3><strong>Who Is Most at Risk?<\/strong><\/h3>\n<p>OAuth consent phishing can affect any Microsoft 365 environment, but some organisations are more exposed than others.<\/p>\n<p><strong>This includes:<\/strong><\/p>\n<ul>\n<li>Small and mid-sized businesses<\/li>\n<li>Organisations that allow users to consent to third-party apps<\/li>\n<li>Businesses with frequent supplier and vendor communication<\/li>\n<li>Teams that rely heavily on shared documents<\/li>\n<li>Organisations without dedicated security monitoring<\/li>\n<li>Businesses without strong application governance<\/li>\n<\/ul>\n<p><strong>Industries commonly targeted include:<\/strong><\/p>\n<ul>\n<li>Manufacturing and logistics<\/li>\n<li>Professional services<\/li>\n<li>Healthcare and NDIS providers<\/li>\n<li>Construction and trades<\/li>\n<li>Trading and distribution<\/li>\n<\/ul>\n<p>The construction sector is especially exposed because of high-value transactions and complex subcontracting chains, making it attractive for business email compromise activity.<\/p>\n<h3><strong>The Business Impact<\/strong><\/h3>\n<p>Once attackers gain access through a consented application, the impact can be significant.<\/p>\n<ul>\n<li>\n<h4><strong>Business Email Compromise<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Attackers can monitor invoice conversations and insert fraudulent payment details at the right time.<\/p>\n<p>This can lead to direct financial loss.<\/p>\n<ul>\n<li>\n<h4><strong>Data Exposure<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Sensitive files in OneDrive and SharePoint may be accessed without triggering obvious user-facing alerts.<\/p>\n<p>This may include contracts, pricing data, client records, and internal documents.<\/p>\n<ul>\n<li>\n<h4><strong>Internal Phishing<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Emails sent from a trusted internal account are more likely to be opened.<\/p>\n<p>This allows attackers to spread the campaign further across the organisation.<\/p>\n<ul>\n<li>\n<h4><strong>Regulatory Risk<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>In Australia, unauthorised access to personal information may trigger obligations under the Notifiable Data Breaches scheme.<\/p>\n<p>This can create legal, operational, and reputational consequences.<\/p>\n<h3><strong>How to Reduce Your Risk<\/strong><\/h3>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-96280\" src=\"https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/reduce-risk-oauth-consent-phishing-blog-062026.webp\" alt=\"How to Reduce Your Risk\" width=\"1025\" height=\"428\" srcset=\"https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/reduce-risk-oauth-consent-phishing-blog-062026.webp 1025w, https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/reduce-risk-oauth-consent-phishing-blog-062026-980x409.webp 980w, https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/reduce-risk-oauth-consent-phishing-blog-062026-480x200.webp 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1025px, 100vw\" \/><\/p>\n<p>Businesses can take practical steps to reduce exposure to OAuth consent phishing.<\/p>\n<ul>\n<li>\n<h4><strong>Restrict User Consent Policies<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Configure Microsoft Entra ID so users cannot approve third-party applications without administrator approval.<\/p>\n<p>This is one of the most effective controls because many attacks rely on permissive default settings.<\/p>\n<ul>\n<li>\n<h4><strong>Implement Admin Consent Workflow<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Users can still request access to applications, but approval should be managed centrally by IT or security teams.<\/p>\n<p>This creates control without completely blocking productivity.<\/p>\n<ul>\n<li>\n<h4><strong>Audit Existing Application Consents<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Review Enterprise Applications in Microsoft Entra ID.<\/p>\n<p>Look for unknown or suspicious applications, especially those with high-risk permissions such as Mail.ReadWrite, Files.Read.All, or offline_access.<\/p>\n<p>Remove anything that is not recognised or no longer required.<\/p>\n<ul>\n<li>\n<h4><strong>Block or Restrict Device Code Flow<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>The FBI recommends creating conditional access policies to block device code flow for all users, with limited exceptions for required business processes.<\/p>\n<p>Before applying restrictions, organisations should audit current usage to identify legitimate dependencies.<\/p>\n<ul>\n<li>\n<h4><strong>Monitor Mailbox Activity<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\"><strong>Watch for:<\/strong><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>New inbox rules<\/li>\n<li>External forwarding<\/li>\n<li>Unusual email activity<\/li>\n<li>Unexpected access patterns<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>These can indicate compromised access.<\/p>\n<ul>\n<li>\n<h4><strong>Strengthen Conditional Access<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Conditional access policies help control how and where applications can access organisational data.<\/p>\n<p>This may include device compliance, location-based controls, and risk-based access rules.<\/p>\n<ul>\n<li>\n<h4><strong>Educate Employees<\/strong><\/h4>\n<\/li>\n<\/ul>\n<p>Users should understand that consent prompts can be part of a phishing attack.<\/p>\n<p>Security awareness training should include OAuth consent scenarios, not just fake login pages.<\/p>\n<div class=\"latest-blog\"><div class=\"latestblognpost\"><em><b>Read More: <\/b><\/em><a href=\"https:\/\/exigotech.co\/au\/blog\/it-security-for-not-for-profit-organisations\">IT Security for Not-for-Profit Organisations: Protecting Mission, Data, and Community Trust<\/a><\/div><\/div>\n<h3><strong>How Exigo Tech Helps<\/strong><\/h3>\n<p>At Exigo Tech, we help Australian businesses secure Microsoft 365 environments against evolving threats like OAuth consent phishing.<\/p>\n<p>As your <strong>Managed Intelligence Partner<\/strong>, our approach includes:<\/p>\n<ul>\n<li>Microsoft 365 Security Health Checks to assess tenant configurations, consent policies, and application permissions<\/li>\n<li>Managed Security as a Service for continuous monitoring, threat detection, and incident response in partnership with Microsoft and eSentire<\/li>\n<li>IT security consulting and policy configuration to reduce your attack surface<\/li>\n<li>Incident response support when suspicious activity is identified<\/li>\n<li>Ongoing guidance from experienced IT security consultants and IT security specialists<\/li>\n<\/ul>\n<p>Whether you need to strengthen your current Microsoft 365 security posture or respond to a potential incident, Exigo Tech provides the expertise and partnership to help your organisation stay protected.<\/p>\n<p><a href=\"\/au\/contact\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-96284\" src=\"https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/cta-oauth-consent-phishing-blog-062026-02.webp\" alt=\"CTA - Strengthen Protection Against Identity-Based Threats\" width=\"891\" height=\"211\" srcset=\"https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/cta-oauth-consent-phishing-blog-062026-02.webp 891w, https:\/\/exigotech.co\/wp-content\/uploads\/2026\/06\/cta-oauth-consent-phishing-blog-062026-02-480x114.webp 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 891px, 100vw\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Passwords and multi-factor authentication have long been seen as the foundation of business security. But attackers are now finding ways&#8230;<\/p>\n","protected":false},"author":28,"featured_media":96292,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[58,16],"tags":[560],"class_list":["post-96275","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-security","tag-oauth-open-authorisation-consent-phishing"],"acf":[],"_links":{"self":[{"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/posts\/96275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/comments?post=96275"}],"version-history":[{"count":3,"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/posts\/96275\/revisions"}],"predecessor-version":[{"id":96298,"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/posts\/96275\/revisions\/96298"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/media\/96292"}],"wp:attachment":[{"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/media?parent=96275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/categories?post=96275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exigotech.co\/au\/wp-json\/wp\/v2\/tags?post=96275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}