Phishing campaign exploits OAuth prompts to bypass Microsoft security

Attackers are tricking users into granting access to malicious apps through real Microsoft login flows, no passwords required.

What happened

According to GBHackers, a new phishing technique is targeting Microsoft account holders by abusing OAuth authentication prompts to gain unauthorized access. Instead of requesting passwords, attackers send phishing emails directing users to fake Microsoft authorization screens, where they’re prompted to grant app permissions. Once access is granted, attackers receive OAuth tokens that allow full control of the account, bypassing passwords and even multi-factor authentication (MFA).

Going deeper

The phishing emails mimic messages from trusted contacts and often carry a sense of urgency to encourage clicks. Victims are led to a Microsoft login page that appears authentic. After entering credentials, they encounter a standard OAuth consent prompt asking for application access, something many users have come to expect when linking third-party apps.

This familiarity is what makes the attack so effective. Users grant access without realizing they’re authorizing a malicious app. The resulting OAuth tokens can persist beyond password changes or MFA updates, providing long-term access to emails, OneDrive files, calendar data, and contacts.

In business contexts, the risk is amplified. Attackers can move laterally across a network by using the compromised account to send trusted emails, share malware-laced files, or escalate privileges internally.

What was said

Security researchers have flagged a growing number of such OAuth-based phishing campaigns. They outline the danger of treating app permission prompts as routine. Unlike traditional phishing, this approach does not rely on stolen passwords; it exploits trust in the Microsoft ecosystem and the appearance of legitimate user experience flows.

Organizations are being advised to implement monitoring tools for unusual OAuth activity and to audit app permission settings regularly.

The big picture

The OAuth phishing campaign shows how attackers are exploiting trust rather than tricking users with fake login pages. Everything about the process looks legitimate, the domain, the interface, and even the Microsoft consent prompt, so victims often grant access without realizing they’re handing over control of their accounts. Once that access is approved, attackers can quietly use OAuth tokens to read emails, move files, and persist long after passwords are changed.

Paubox recommends Inbound Email Security to stop phishing emails that lead to these kinds of consent-based attacks. Its generative AI reviews message tone, sender history, and intent to flag communication that feels off, even when it passes technical checks. That kind of behavioral insight helps catch deceptive OAuth lures before employees ever reach the permission screen.

FAQs

What is OAuth and how does it work?

OAuth is an authorization protocol that lets users grant apps limited access to their account data without sharing passwords. Apps receive temporary tokens that allow access to specific services.

Why are OAuth tokens hard to revoke?

OAuth tokens remain valid until they expire or are manually revoked, even if the user changes their password. Without proper monitoring, malicious apps can retain access indefinitely.

How can businesses detect suspicious OAuth activity?

Organizations can deploy identity protection tools that monitor for unusual app permissions, unexpected sign-in locations, or high-risk user behavior involving OAuth grants.

What’s the difference between an OAuth-based attack and traditional phishing?

Traditional phishing tries to steal credentials. OAuth-based attacks trick users into granting access, allowing attackers to sidestep the need for passwords or MFA.

Can users review and revoke permissions already granted to apps?

Yes. Microsoft account holders can visit the "Apps and Services" section in their account settings to review and revoke access for any app they no longer trust or recognize.