High RiskExternal Access

How to Prevent Malicious OAuth App Consent Attacks in Microsoft 365

OAuth consent phishing tricks users into granting malicious apps access. Learn how to prevent illicit consent grants in Microsoft 365.

OAuth consent attacks, also known as illicit consent grants, trick users into authorizing malicious applications that can then access their data. Unlike traditional phishing that steals credentials, these attacks result in persistent access through legitimate OAuth tokens. This guide covers how to prevent, detect, and respond to OAuth consent attacks in Microsoft 365.

Warning Signs

Watch for these indicators that may signal this problem in your environment:

  • Users granting consent to unfamiliar applications
  • Applications with suspicious permissions (Mail.Read, etc.)
  • App consent from phishing emails
  • Applications from unverified publishers
  • Unexpected application activity in audit logs

What Could Happen

  • Persistent access bypassing password changes
  • Email and data exfiltration
  • Business email compromise
  • Calendar and contact harvesting
  • Account used for further phishing

The Solution

Restrict user consent, implement admin approval workflows, and monitor for suspicious application grants to prevent OAuth consent attacks.

Implementation Steps

  1. 1Disable user consent for unverified apps
  2. 2Require admin approval for new applications
  3. 3Audit existing app consent grants
  4. 4Block risky application permissions
  5. 5Enable alerts for consent grants
  6. 6Train users to recognize consent phishing

Ongoing Prevention

  • Weekly review of new app registrations
  • Application governance policies
  • Verified publisher requirements
  • Risk-based consent policies

TrueConfig Controls That Help

APP-01Application Ownership for Apps with Credentials
APP-02Enforce Application Credential Expiration
APP-05Service Principal Credential Hygiene
APP-08Restrict User Application Consent

Frequently Asked Questions

Should I block all user app consent?

For most organizations, yes. Blocking user consent and requiring admin approval prevents consent phishing attacks. You can allow consent to verified publisher apps with low-risk permissions while blocking high-risk grants.

How do I audit existing app consent?

Review app registrations and enterprise applications in Entra ID. Check which users have consented to which apps and what permissions were granted. Revoke consent for suspicious or unnecessary applications.

Ready to protect your Microsoft 365 environment?

TrueConfig continuously monitors for this and other security risks, alerting you to issues before attackers can exploit them.