OAuth Consent Attack
Social engineering attack that tricks users into granting malicious applications access to their data through OAuth consent.
What is OAuth Consent Attack?
In OAuth consent attacks (also called illicit consent grant attacks), attackers create malicious applications and trick users into granting permissions. Once consent is granted, the attacker application has persistent access to the user data—even if the user changes their password. These attacks bypass MFA because the user legitimately authenticates and consents.
In Microsoft 365
Azure AD admin consent workflow prevents user consent to unverified applications. App governance in Microsoft Defender monitors for suspicious OAuth applications. Blocking user consent (APP-08) stops this attack vector entirely by requiring admin approval for all applications.
Examples
- 1Phishing email linking to malicious app consent page
- 2Fake productivity app requesting mail access
- 3Compromised app in app store requesting excessive permissions
Related TrueConfig Controls
These controls help implement and verify oauth consent attack in your Microsoft 365 environment.