OAuth Consent Phishing

OAuth consent phishing (sometimes called 'OAuth phishing' or 'app-based phishing') exploits the OAuth 2.0 authorisation framework. Instead of harvesting a password, the attacker creates a malicious application registered with a trusted identity provider (such as Microsoft, Google, or GitHub) and sends the victim a link that initiates a genuine OAuth consent flow. The victim is presented with a real, legitimate-looking permission prompt asking them to grant the malicious app access to their email, contacts, files, or other resources.

Because the permission prompt is served by the trusted identity provider (not a fake page), standard phishing indicators such as SSL certificate warnings or domain checks do not alert the victim. Multi-factor authentication does not protect against this attack — the attacker obtains an OAuth token rather than a password, and MFA is not re-prompted for token use.

Once access is granted, the attacker can read email, exfiltrate files, send messages on the victim's behalf, or maintain persistent access even after a password change. Mitigations include restricting which applications users can consent to, reviewing and revoking authorised app permissions, and monitoring for unusual OAuth token activity.