What is an OAuth consent phishing attack?

OAuth consent phishing is when an attacker creates a malicious app and tricks users into granting it access to their corporate accounts through the standard OAuth authorization flow. The app might be named "Security Audit Tool" or "IT Department Scanner" to appear legitimate. When a user clicks "Allow," the app receives tokens that grant access to their email, files, or other resources. Unlike password phishing, the attacker never needs your credentials. They operate with the permissions you granted. Microsoft's 2023 Digital Defense Report noted a 65% increase in OAuth-based attacks on enterprise tenants.

How often should you review the apps connected to your work accounts?

Review your connected apps at least once per quarter. Most employees are surprised by how many authorized apps accumulate over time. In Google Workspace, go to myaccount.google.com/permissions. In Microsoft 365, check myapps.microsoft.com. Look for apps you no longer use, apps with permissions broader than their function requires, and apps you don't recognize at all. Revoke anything you are unsure about. If the app is legitimate and you need it later, you can always re-authorize it with fresh consent.

Third-Party App OAuth Risks

Check what you gave permission to access.

What Is Third-Party App OAuth Risks?

OAuth lets you connect third-party apps to your work accounts with a single click. That productivity tool, calendar optimizer, or email plugin gets access to your data through tokens that persist until someone revokes them. The problem: malicious apps use the same authorization flow as legitimate ones. A 2023 Microsoft Digital Defense Report found that OAuth-based attacks on enterprise tenants increased by 65% year-over-year, with consent phishing becoming one of the top initial access vectors. This exercise starts when you receive a link to try a new scheduling tool that a colleague recommends. The OAuth consent screen asks for access to your email, contacts, calendar, and files. You evaluate whether those permissions match what the app actually needs. A scheduling tool reading your calendar makes sense. A scheduling tool requesting full access to your email and file storage does not. The simulation walks you through auditing the apps currently connected to your corporate account. You will likely find tools you authorized months ago and forgot about, some of which still have active tokens with broad permissions. You learn how to revoke unnecessary access, evaluate new permission requests against a practical checklist, and recognize consent phishing campaigns where attackers register malicious apps with names like 'Security Update Required' or 'IT Department Tool.'

What You'll Learn in Third-Party App OAuth Risks

Evaluate OAuth consent screens by comparing requested permissions against what an app legitimately needs to function
Audit all third-party applications currently connected to your corporate accounts and identify those with excessive or unnecessary permissions
Revoke OAuth tokens for unused, suspicious, or overly permissioned third-party applications
Recognize consent phishing attacks where malicious apps disguise themselves as legitimate IT or security tools
Apply your organization's app approval process before authorizing new third-party tools to access corporate data

Third-Party App OAuth Risks — Training Steps

A Productivity Recommendation

You've been feeling overwhelmed with calendar management and email follow-ups. Your colleague Marcus mentioned a tool that helped him stay organized.
Marcus's Recommendation

You receive an email from Marcus about the productivity tool he mentioned.
Connecting the App

The tool sounds exactly like what you need. Marcus is a trusted colleague who wouldn't recommend something harmful. You click the link to check out SmartSync Pro.
Authorizing the App

The SmartSync Pro page looks professional and promises useful features. To connect the app, you need to authorize it through your Meridian Workspace account.
The OAuth Consent Screen

You're redirected to your company's Meridian Workspace portal, which displays a consent screen asking you to authorize SmartSync Pro. The app is requesting access to your account. You need to review the permissions and click 'Allow' to connect the app.
App Connected Successfully

SmartSync Pro is now connected to your Meridian account. The confirmation screen shows that the app can now access your data. You close the window and continue with your day, satisfied that you'll now have better calendar management.
Three Weeks Later

Three weeks pass. You've been using SmartSync Pro for calendar reminders - though it doesn't seem as sophisticated as Marcus described. One morning, you receive an urgent email from IT Security.
A Sinking Feeling

Your heart sinks as you read the alert. The productivity tool you installed has been secretly harvesting your data. In financial services, this kind of data exposure could have serious regulatory consequences. You need to contact IT Security right away.
What Went Wrong

David from IT Security explained that SmartSync Pro wasn't a legitimate productivity tool - it was a data harvesting application designed to steal corporate information. But wait - Marcus recommended it. Alice realizes she should check if Marcus actually sent that email. She opens the original message to examine it more closely.
Examining the Sender

Looking at Marcus's original email again, Alice decides to verify if Marcus actually sent it.

What Is Third-Party App OAuth Risks?

What You'll Learn in Third-Party App OAuth Risks

Third-Party App OAuth Risks — Training Steps

A Productivity Recommendation

Marcus's Recommendation

Connecting the App

Authorizing the App

The OAuth Consent Screen

App Connected Successfully

Three Weeks Later

A Sinking Feeling

What Went Wrong

Examining the Sender