Het scenario
A senior marketing manager at a Dutch enterprise software firm receives an email Monday morning: 'eSign the Q2 partnership agreement — opened by your colleague Mark'. The link goes to the genuine Microsoft sign-in flow on login.microsoftonline.com — exactly the page she expects. She enters her credentials, completes her FIDO2 passkey challenge, and is redirected to a Microsoft-styled permissions screen titled 'Accept permissions — Partnership Document Reader needs:'. The four permission lines read like reasonable e-signature scopes: 'View your basic profile', 'Sign you in and read your profile', 'Read your mail', 'Have full access to your files'. She clicks Accept. The page redirects to a plausible-looking PDF. Behind the scenes, the attacker's enterprise application — registered six months earlier in an unrelated Azure tenant and named 'Partnership Document Reader' — now has a refresh token authorising read access to her entire mailbox and OneDrive. The attacker uses the Microsoft Graph API to pull six years of correspondence over the next four hours. Password rotation does not stop it. MFA re-enrolment does not stop it. The only fix is to revoke the OAuth grant from the user's My Apps panel and from the tenant Enterprise applications list. Detection time in the average enterprise: 23 days.
Hoe de aanval werkt
OAuth is the standards-compliant way third-party applications request access to your data — Calendly to your calendar, Slack to your inbox, the e-signature platform to your files. Every legitimate enterprise depends on OAuth grants. The attack abuses the same protocol: the attacker registers an application in an Azure or Google tenant they control, gives it a credible name (something like 'Document Sync', 'Calendar Helper', or impersonating a known SaaS brand), requests broad scopes (Mail.Read, Files.Read.All, full_access_as_user), and then phishes a user into completing the consent flow. Crucially, the user is asked to sign in to their own legitimate Microsoft or Google account — there is no spoofed login page. The phish is on the consent screen itself, not the sign-in. Once consent is granted the attacker receives an access token plus a refresh token; the refresh token survives most password rotations and remains valid until the OAuth grant is revoked or the application is removed. MITRE ATT&CK techniques: T1528 (Steal Application Access Token), T1098.001 (Account Manipulation: Additional Cloud Credentials), T1550.001 (Use Alternate Authentication Material: Application Access Token). The defensive playbook is identity admin-side: restrict third-party-app consent to admin-approved apps only, monitor consent grants in audit logs, and review enterprise applications quarterly. The user-side defence is harder — the consent screen looks legitimate because it IS legitimate; the user must read the scope lines and understand what they mean.
Waar je op moet letten
- A permissions screen ('App XYZ needs the following permissions') for any app you did not deliberately install or sign up for
- Scope requests like 'Read your mail', 'Send mail as you', 'Have full access to your files', 'Read and write all groups' — any broad-scope ask from an unfamiliar app should be a hard stop
- App names that closely impersonate well-known SaaS (e.g. 'Microsoft Document Sync' is not a real Microsoft product; 'DocuSign Sign' versus the real 'DocuSign' brand)
- Publisher field marked as unverified, or showing as an organisation you have never heard of
- Consent prompts appearing during what was supposed to be a sign-in or document-open flow — legitimate document opens do not require additional consent each time
- Unsolicited 'a document has been shared with you, click to view' emails that route through a third-party signing or viewing app
- Unexpected app permissions listed under 'My applications' (https://myapps.microsoft.com) or your Google 'Third-party apps with account access' panel that you did not authorise
Wat te doen
- Read every consent screen — every time — and reject any broad-scope request from an unfamiliar appTreat 'Read your mail' or 'Full access to files' as flashing-red unless you signed up for an app that genuinely needs that scope (rare).
- If you accidentally consented, revoke immediatelyMicrosoft: https://myapps.microsoft.com → click the app → Remove. Google: https://myaccount.google.com/permissions → Remove access. Then notify security so they can audit the rest of the tenant.
- Review your installed third-party apps quarterlyAnything you do not recognise, do not use, or no longer use — revoke. Both Microsoft and Google make this a one-click action.
- Never sign in to a 'document' that requests new permissions on a flow you have done before without themIf the publisher is asking for new scopes mid-flow, that is the attack. Stop and verify with the sender out-of-band.
- Escalate every unfamiliar consent prompt to security — even if you rejected itA consent-phish attempt is reconnaissance evidence. Security needs to know who else may have been targeted.
Verdediging — voor IT en beleid
Technische controles
- Restrict user consent for unverified third-party apps — Microsoft Entra ID setting under Enterprise applications → Consent and permissions → 'Do not allow user consent' (or 'Allow user consent for apps from verified publishers, for selected permissions')
- Admin-consent request workflow turned on — users requesting consent for new apps generate a ticket for IT review, instead of granting in place
- Monitor and alert on every consent grant via Microsoft Defender for Cloud Apps / Entra audit logs / Google Workspace audit logs — every new OAuth app in the tenant is a security event
- Periodic enterprise-application review (quarterly minimum) — apps with no documented business owner get revoked
- Conditional access policies that block legacy authentication protocols (which bypass modern consent controls)
- Application-protection labels on Microsoft Graph endpoints for high-value tenants — restricts which apps can access sensitive mail/file scopes regardless of consent
- Cloud-app risk scoring (e.g., Microsoft Defender for Cloud Apps) that auto-flags new apps with high-privilege scopes
Beleidscontroles
- Written policy: users may not consent to third-party apps requesting broad mail or file scopes; such requests must be routed to IT for review
- Quarterly OAuth-app inventory review co-owned by IT security and business owners — every retained app has a documented owner and renewal cadence
- Onboarding/offboarding policy: when an employee leaves, all OAuth grants in their account are revoked along with the account
- Procurement integration: new SaaS rollouts go through an OAuth-scope review as part of vendor security assessment
Trainingsfrequentie
OAuth consent phishing is harder to train against than email phishing because the lure is on a legitimate Microsoft page. Pair training with a simulated consent attempt at least once a year and a structured 'show employees what a real vs malicious consent screen looks like' module. Track consent-revocation actions taken by users — high revocation rate signals healthy awareness.
Korte check
Vijf vragen. Antwoorden en toelichting verschijnen na inzenden.
- Q1.
A friend shares a document with you. To open it, you are asked to grant 'Read your mail' permission to an app called 'Document Reader Pro' from an unverified publisher. What do you do?
- Q2.
Why does OAuth consent phishing bypass password rotation and MFA?
- Q3.
Where in Microsoft 365 do you revoke a previously-granted OAuth permission as an end-user?
- Q4.
Which technical control most directly prevents user-side OAuth consent phishing?
- Q5.
What is the dwell-time risk profile of an undetected illicit OAuth grant?
Bronnen & verdere lectuur
- Microsoft — Illicit consent grants and OAuth consent phishing[primary]
- Microsoft Entra — Consent and permissions settings[primary]
- MITRE ATT&CK — T1528 Steal Application Access Token[primary]
- OWASP — OAuth 2.0 Threat Model[primary]
- Mandiant — APT28 / Pawn Storm OAuth campaign analyses[secondary]
- Microsoft Threat Intelligence — Storm-0558 case studies[secondary]