Fake Microsoft OAuth Social-Login Phishing
Phishing sites present fraudulent 'Sign in with Microsoft' OAuth consent screens that harvest Microsoft work or personal credentials from users who believe they are completing a standard authentication flow.
Part of: Social Login & OAuth Phishing
Last reviewed: 7 June 2026
Microsoft's OAuth sign-in standard — the same technology behind 'Sign in with Microsoft' buttons on thousands of websites — is a widely trusted authentication method. Because users are conditioned to complete these flows without excessive scrutiny, phishers have built convincing fake OAuth pages that collect Microsoft credentials under the appearance of a routine authorisation.
The attack is especially dangerous in corporate environments. When an employee is tricked into completing a fake 'Sign in with Microsoft' consent screen, the attacker may obtain a session token that grants access to Microsoft 365 email, OneDrive files, Teams, and other connected services — all without triggering a password-reset alert.
Some variants use adversary-in-the-middle techniques to relay the real OAuth flow, capturing the access token silently and bypassing standard multi-factor authentication.
How this scam works on the Microsoft brand
Legitimate Microsoft OAuth flows open a pop-up or redirect to login.microsoftonline.com, where the URL bar clearly shows that domain. The consent screen shows exactly which application is requesting access and which permissions it requires. Microsoft OAuth tokens are cryptographically bound to the real domain — a token issued at login.microsoftonline.com cannot be replayed from a different domain.
Fake OAuth flows appear on malicious landing pages promoted through phishing emails or social media ads. The consent screen looks identical to Microsoft's real interface but is hosted at a domain like microsoft-auth[.]app or login-microsoft[.]online. Some campaigns use legitimate cloud services (such as Azure redirect URIs set up by attackers) to create OAuth flows that technically pass through a microsoft.com URL before redirecting to an attacker-controlled endpoint.
Victims who approve the consent screen unknowingly hand over a valid access token or their Microsoft account credentials. The attacker can then silently access connected services, set up persistent access through registered applications, and avoid triggering future MFA prompts.
Common red flags
- The OAuth pop-up URL is not login.microsoftonline.com — check the browser address bar carefully
- The consent screen requests unusually broad permissions such as access to all emails, files, or admin privileges for a simple service
- You are asked to complete a Microsoft login on a promotional or unfamiliar site that does not clearly justify needing Microsoft access
- The site uses Microsoft branding but the parent domain is not microsoft.com
- You receive an unexpected notification that a new application has been granted access to your Microsoft account
- The consent screen claims to represent a well-known service but the application publisher name is unfamiliar
How to protect yourself
- Always check that the OAuth pop-up URL is login.microsoftonline.com before approving any consent request
- Review and revoke third-party app access at myapps.microsoft.com or myaccount.microsoft.com/permissions
- Enable Conditional Access policies in Microsoft Entra ID (Azure AD) to flag or block OAuth consent for unknown applications
- Use phishing-resistant MFA such as FIDO2 security keys so that even a stolen session token cannot be escalated
- Configure Microsoft Entra's 'user consent settings' to require admin approval for third-party app OAuth grants
How to report it
- Revoke suspicious app permissions immediately at myapps.microsoft.com
- Report the phishing site to Microsoft at msrc.microsoft.com/report
- Forward the phishing email to [email protected]
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
Frequently asked questions
What is an OAuth consent screen and why does it appear?
An OAuth consent screen appears when a website or app requests permission to access your Microsoft account data on your behalf. Legitimate ones show the requesting application's name and the specific permissions requested. You should only approve consent screens from applications you trust and that you intentionally chose to connect to your account.
Can approving a fake OAuth screen bypass two-factor authentication?
Yes. If you are already signed in to your Microsoft account and you approve an OAuth consent screen, the attacker may receive an access token without needing your password or MFA code. This is why reviewing OAuth permissions regularly and revoking unknown ones is important.
How do I see which apps have access to my Microsoft account?
Sign in to myaccount.microsoft.com, then navigate to Privacy > Apps and services. For work accounts managed by Microsoft Entra ID, an administrator can review consented applications in the Entra ID admin centre.