The New Phishing Click: How OAuth Consent Bypasses MFA
#Security

The New Phishing Click: How OAuth Consent Bypasses MFA

Security Reporter
5 min read

A phishing‑as‑a‑service platform is stealing long‑lived OAuth refresh tokens from Microsoft 365 users, sidestepping MFA and exposing a blind spot in modern identity defenses. Experts explain why consent screens are now the most valuable phishing lure and outline concrete steps to regain control.

![Featured image](Featured image)

A new kind of phishing click

In February 2026 a service called EvilTokens went live, offering a turnkey phishing‑as‑a‑service (PhaaS) kit that targets Microsoft 365 tenants. Within five weeks the operators had compromised more than 340 organizations across five countries. The victims received a familiar‑looking message that asked them to visit microsoft.com/devicelogin, enter a short code, and complete their usual MFA challenge. After the user entered the code, the attacker walked away with a refresh token that granted persistent access to the user’s mailbox, OneDrive, calendar and contacts.

Unlike a traditional credential phish, the attack never required a password, never triggered a new MFA prompt, and left no obvious sign‑in event for security information and event management (SIEM) tools to flag. The consent screen—once a rare, deliberate step—has become an instinctive click, and the controls that protect passwords simply do not see it.

"Consent phishing is the logical evolution of credential phishing. The user does the heavy lifting—authenticates, satisfies MFA, and then clicks ‘Accept.’ The system hands over a token that works for weeks or months," says Dr. Anika Rao, senior identity researcher at the Cloud Security Alliance.

Why MFA can’t stop a refresh token

Credential phishing OAuth consent abuse
User hands over username + password User authenticates on the legitimate IdP
Attacker replays credentials → MFA challenge MFA already satisfied on the legitimate domain
SIEM sees a sign‑in event (IP, device, location) No new sign‑in, only a token issuance

The token is signed by Azure AD, scoped to whatever the user approved, and refreshable. Because the MFA step already occurred, the token is considered valid. Even if the user later resets their password, the token remains active until it expires or is explicitly revoked.

OAuth consent prompts have proliferated. Every AI assistant, productivity add‑on, or browser extension that needs access to a SaaS service presents a consent screen. A typical knowledge worker now sees dozens of these prompts each month—far more than the original threat models anticipated.

The wording of scopes is deliberately vague:

  • "Read your mail" actually includes every message, attachment, and shared thread.
  • "Access files when you’re not present" translates to a long‑lived token that can be used without the user in front of a screen.

When the language does not map cleanly to risk, users click without understanding the downstream impact.

Toxic combinations: when isolated grants become a chain reaction

A single OAuth grant gives an attacker a foothold inside one application. The danger multiplies when that foothold bridges to other services:

  1. A finance user grants an AI meeting summarizer access to their calendar and mailbox.
  2. The same user later authorizes a productivity assistant to read the company shared drive.
  3. A third‑party CRM enrichment tool receives permission to query the customer database.

Individually each grant looks innocuous, but together they create a toxic combination—a permission graph that no single application owner ever authorized. Because the bridges exist outside any single app’s audit log, traditional logs cannot surface the risk.

"What we’re seeing is a graph problem, not a single breach. The attack surface is the connections between apps, not the apps themselves," notes James Liu, principal engineer at Reco.

Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Real‑world precedent: the Salesloft‑Drift cascade (2025)

A compromised downstream connector spread across 700+ Salesforce tenants using OAuth tokens that customers had legitimately approved. Each tenant thought it was a routine integration; none anticipated the cascade effect.

What security teams should check today

Treat OAuth consent with the same rigor you apply to authentication. The following checklist helps surface hidden risk:

  1. OAuth application inventory – List every third‑party app that holds refresh tokens in your tenant. Identify which tokens are refreshed continuously versus those that are only used during audits.
  2. Grant age and re‑consent – Flag tokens older than 30 days that have never been re‑approved. Surface them in a remediation queue.
  3. Cross‑application identities – Detect user accounts that hold grants across three or more SaaS applications. Prioritize for review.
  4. Agent and integration bridges – Map AI agents, browser extensions, and custom connectors that bridge two systems without a single owner’s oversight.
  5. Conditional access on consent – Extend conditional‑access policies to trigger on consent events, not just sign‑in events.
  6. Token‑level revocation playbook – Develop a process to revoke a single OAuth token rather than disabling the entire user account.

How AI‑driven identity platforms can close the gap

A new class of security platforms builds an Identity Knowledge Graph the moment a token is issued. They continuously discover:

  • Human and non‑human identities (AI agents, service principals)
  • The applications they can reach
  • The exact scopes granted
  • Behavioural anomalies (e.g., a token used from an unexpected IP range)

One example is Reco. Its platform maps every OAuth grant, AI agent, and third‑party integration into a live graph, surfaces unused or stale tokens, and allows security teams to revoke access at the token level.

![AI agent security view](Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence)

Practical steps to implement a graph‑based approach

  1. Deploy an identity‑graph solution – Choose a vendor that integrates with Azure AD, Google Workspace, and major SaaS providers.
  2. Ingest consent events – Ensure the platform receives real‑time consent logs via Microsoft Graph API or equivalent.
  3. Define risk policies – For example, flag any token that grants both Mail.Read and Files.ReadWrite.All to a non‑human identity.
  4. Automate remediation – Set up playbooks that automatically revoke tokens that violate policy, then alert the owner for review.
  5. Educate users – Update security awareness training to cover consent phishing, emphasizing that the MFA prompt does not guarantee safety.

Bottom line

Phishing‑resistant authentication has matured, but the consent layer remains a blind spot. By treating OAuth grants as first‑class security objects—inventorying them, monitoring their lifecycle, and revoking them when they become risky—organizations can stop the “new phishing click” before it turns into a long‑term breach.

Learn more about Reco’s AI‑driven identity security platform here.

#OAuth#MFA#Phishing#identity security#token revocation

Comments

Loading comments...
Back to Home