Sign In
In this section

Consent Phishing: Detecting Illicit OAuth Grants

5-6 hours · Module 3

The compromise with no failed login

An analyst pulls the sign-in record for a user who reported something odd. The authentication is clean: correct user, result success, MFA satisfied, normal location, no failed attempts, no impossible travel, nothing the anomaly detections would fire on. By every measure the identity-triage playbook teaches, this sign-in is fine. The analyst closes it. They are wrong, and the breach is already running, because the attack never touched the authentication at all. The user clicked Allow on a consent prompt, and an attacker-controlled application has been reading their mail ever since.

This is consent phishing, and it is the reason application triage exists as a separate discipline. Every detection tuned for a compromised login looks for an authentication that should not have happened. Consent phishing produces an authentication that should have happened, by the real user, from their real device, and then weaponizes what that user authorized. The signal is not in whether the sign-in was legitimate. It is in what the legitimate user was tricked into granting.

Consent phishing persuades a user to grant an attacker-controlled application access to their data through the identity provider's own consent mechanism. The attacker does not steal a password, intercept a token, or relay an MFA prompt. They send a link. The user clicks it, sees a familiar consent prompt ("This application would like to read your mail"), and clicks Allow. The identity provider records the consent, issues the application its own tokens, and the application starts reading data. The credentials were never compromised. The MFA was never challenged. The only thing that happened is that the user authorized a delegation, and the delegation is the attack.

This is a different category from the credential and token attacks. A stolen password or a replayed token creates a session that impersonates the user. A consent-phishing grant creates a separate principal that acts alongside the user, using its own authentication, with permissions the user explicitly authorized. The resulting access does not appear in the interactive sign-in logs because the application never interactively signs in. It authenticates server-to-server through the OAuth token endpoint, invisibly, for as long as the consent remains in place.

The attack pattern

The consent-phishing attack follows a consistent sequence. Understanding the sequence is the prerequisite for detecting it, because each stage leaves a distinct trace, and the triage is the act of lining those traces up against the timeline.

Consent phishing: the five-stage sequence 1. Register Attacker registers an app with a plausible name. Requests Mail.Read, Mail.ReadWrite, Contacts.Read, or similar broad delegated scopes. The granted permissions are the data channel. 2. Deliver Phishing email or message contains a link to the OAuth authorization endpoint with the app's client ID and requested scopes embedded. The link opens the consent prompt. 3. Consent User sees "This app would like to: Read your mail, Read your contacts." Clicks Allow. No password entered, no MFA prompted. The consent itself is the entire compromise. 4. Token issuance Identity provider records the grant, creates a service principal in the tenant, and issues the application its own access and refresh tokens scoped to the consented permissions. 5. Silent access App reads mail, enumerates contacts, accesses files through the API. No browser, no session, no sign-in log entry. Continues indefinitely until the consent is explicitly revoked.

Each stage leaves its own evidence. The attacker's work is at stages 1 and 2; the user's single action is at stage 3; the system responds at stage 4; and stage 5 runs silently until someone intervenes.

The critical thing to internalize is that stage 3 is the only moment the user does anything, and the only thing they do is click a button. There is no credential entry, no challenge to intercept, no session to steal. The consent prompt is a legitimate UI presented by the identity provider, and the user has seen it before for real applications. The attacker's entire play is making the prompt appear when the user expects to see one (usually embedded in a phishing email disguised as a document-sharing notification or a service-activation link) and choosing an application name and scope set that look plausible enough that the user clicks Allow without reading the permission list.

Why traditional detection misses it

Most identity detections are tuned for authentication anomalies: impossible travel, anomalous IP, failed MFA, brute-force patterns. Consent phishing produces none of these signals. The user authenticates normally from their own device and location, their MFA succeeds (if prompted at all for the consent flow), and the consent event records a successful, policy-compliant action by a legitimate user. The event does not fail any rule that looks for authentication anomalies, because there is no authentication anomaly. The anomaly is in the authorization: what the user granted, to which application, at what time, with what permissions.

This means the detection surface is different from everything you have seen in identity triage so far. You are not hunting for a session that should not exist. You are hunting for a consent that should not have been granted. The signals are in the consent record, the application metadata, and the timeline correlation between the consent and a known phishing delivery.

The five signals that separate illicit from legitimate

Not every consent is an attack. Organizations use hundreds of OAuth-integrated applications legitimately, and every one of them required a consent at some point. The triage question is not "was there a consent" but "was this particular consent legitimate." Five signals, weighed together, make the call.

Five signals: illicit vs legitimate consent ILLICIT INDICATORS LEGITIMATE INDICATORS 1. Timing Minutes after a phishing email or suspicious link click. During a planned rollout, IT ticket, or onboarding workflow. 2. Permissions Over-broad for the app's name. "Calendar Sync" with Mail.ReadWrite. Proportionate to the application category and stated function. 3. App metadata Unverified publisher, recent registration, unknown app ID. Verified publisher, long-standing gallery app, recognized ID. 4. Consent IP From an anomalous IP, VPN exit, or already-compromised session. From the user's normal corporate IP or known home network. 5. Consent history Part of a documented IT deployment. First-ever consent by this user.

No single signal convicts. The judgment is the pattern across all five. Three or more illicit indicators is enough to contain first and investigate second; one or two warrants investigation before deciding.

The signals work as a pattern, not a checklist. A consent with an unverified publisher but appropriate scopes, from the user's normal IP, during a documented rollout, is probably legitimate. A consent with an unverified publisher, over-broad scopes, from an anomalous IP, minutes after a phishing email, with no IT ticket or rollout context, is almost certainly illicit. The judgment lives in how many signals align and how strong each one is. Timing correlation with a phishing delivery is the strongest single indicator, because it places the consent inside an attack timeline. App metadata is the weakest on its own, because many legitimate applications are unverified (small vendors, internal tools, early-stage integrations). Weight each signal by how much it changes the probability the consent is attacker-installed, and let the combined reading make the call.

The judgment under uncertainty

The hard case is the consent that sits in the middle: an unfamiliar application, with somewhat broad permissions, from the user's normal IP, with no clear phishing correlation, but no IT ticket either. The user does not remember granting it. Two of the five signals are present (unfamiliar app, no rollout context), but the strong indicators (phishing timing, anomalous IP) are absent.

The resolution is the same principle you learned in identity triage: when the evidence is genuinely undecided, you do not default to benign. You default to unproven, and you use the cost asymmetry to set your next move. Leaving a legitimate consent in place for another hour while you investigate costs the organization nothing. Leaving a malicious consent in place for another hour costs ongoing data exposure. The correct response to an ambiguous consent is to investigate further (check what the application has actually accessed, examine the application's registration details, ask the user) rather than to clear it because you cannot prove it is malicious. The proof, if it comes, comes from tracing what the application did after the consent was granted, which is the subject of later subs in this module.

When the consent is ambiguous: cost asymmetry decides Consent flagged 0 illicit signals Known app, IT rollout, normal IP. Document and close. 1-2 illicit signals Unfamiliar app, no context, but no phishing or anomalous IP. Investigate before deciding. 3+ illicit signals Phishing timing, over-broad scope, unverified, no IT context. Contain first, investigate second. The middle path is the hard case. Default to unproven, not benign. One hour of investigation costs nothing; one hour of ongoing exfil costs data.

The middle path is where judgment lives. The cost asymmetry resolves it: investigate the ambiguous consent while preserving the ability to contain it, rather than clearing it because you cannot yet prove it is malicious.

The common mistake

Waiting for a confirmed phishing email before treating a consent as suspicious. Consent phishing does not always arrive by email. It can arrive through a Teams message, a QR code on a document, a link in a calendar invite, or a redirect from a compromised website. Requiring a confirmed phishing delivery as a prerequisite for investigating a consent means you miss every delivery channel your email gateway does not see. The consent itself is the evidence you are triaging, not the delivery method. If the consent record shows an unfamiliar application with broad permissions, the investigation starts there regardless of whether you can find the phishing lure that delivered it.

Seeing it in the evidence

A practical example that does not depend on a specific environment. An organization receives a report from a user who says they clicked "Allow" on something they now believe was suspicious. They received a document-sharing notification from a colleague, clicked the link to view the document, and were presented with a consent prompt for an application called "Document Viewer Pro" requesting Mail.Read, Mail.ReadWrite, and Files.Read. They clicked Allow. The document never loaded.

Where to find it

The consent record in the directory audit log or cloud application log, filtered to consent operations for the reporting user. The phishing email (if still in the mailbox or quarantine) provides the delivery correlation. The application's registration record in the directory provides the metadata for signal 3.

How to extract it

Pull the consent events for the user over the last 24 hours, then cross-reference the timestamps against the email log to establish whether a phishing delivery preceded the consent. The combination of the two queries (consent record + email timeline) gives you signals 1, 2, 4, and 5 from the framework above.

sourcetype=o365:cloudapp action=ConsentToApplication
| eval permissions=spath(raw_event_data, "Permissions")
| table _time, user, object_name, permissions, src_ip, src_country
| sort _time
CloudAppEvents
| where ActionType == "ConsentToApplication"
| extend Permissions = tostring(parse_json(RawEventData).Permissions)
| project Timestamp, AccountDisplayName, ObjectName, Permissions, IPAddress, CountryCode
| sort by Timestamp asc
# Consent events with scope detail from the directory audit
Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Consent to application'" -Top 50 |
  Where-Object { $_.InitiatedBy.User.UserPrincipalName -eq 'reporting.user@contoso.com' } |
  Select-Object ActivityDateTime,
    @{n='App';e={$_.TargetResources[0].DisplayName}},
    @{n='Scopes';e={($_.TargetResources[0].ModifiedProperties | Where-Object DisplayName -eq 'ConsentAction.Permissions').NewValue}},
    @{n='IP';e={$_.AdditionalDetails | Where-Object Key -eq 'IpAddress' | Select-Object -Expand Value}}

Read the output

Apply the five-signal framework. Timing: the consent lands within minutes of the reported document-sharing notification, which is the phishing delivery (signal 1: strong illicit). Permissions: Mail.Read, Mail.ReadWrite, Files.Read on an application called "Document Viewer Pro," which should need file-read access at most, not mail read-write (signal 2: over-broad, illicit). App metadata: check whether the publisher is verified and whether the application ID appears in the organization's known-app list (signal 3). Consent IP: determine whether it matches the user's normal location (signal 4). Consent context: no IT ticket, no rollout, the user does not recognize the application (signal 5: illicit). Three or four illicit signals out of five. This consent is almost certainly attacker-installed.

The reading resolves quickly once you apply the framework systematically. The timing correlation with the phishing delivery is the anchor: a consent granted within minutes of a suspicious link click, for permissions that exceed the application's stated function, from a user who does not recognize the application and has no IT rollout context. You do not need certainty on all five signals to act. Three strong illicit indicators in the context of an active phishing report is sufficient to treat this as a malicious consent and begin containment.

Your turn

A security alert fires on a new consent grant. The application is "Teams Meeting Recorder," the publisher is unverified, and the scopes are Calendars.Read, OnlineMeetings.Read.All, and Mail.ReadWrite. The consent came from the user's corporate IP at 14:22. There is no phishing email in the user's inbox or quarantine, but the user says they clicked a link in a Teams chat from an external contact. Walk through the five signals and state your read.

Reveal

Signal 1 (timing): the consent correlates with a link click in a Teams chat from an external contact. This is a delivery mechanism, even though it is not email. Present and illicit. Signal 2 (permissions): a meeting-recording tool should need calendar and meeting access, but Mail.ReadWrite is over-broad for that purpose. Illicit indicator. Signal 3 (app metadata): unverified publisher. Weak illicit indicator on its own, but it compounds with the others. Signal 4 (consent IP): corporate IP, the user's normal location. This is the one legitimate indicator, but it is expected in consent phishing because the user is the one clicking Allow from their own machine. Does not exonerate. Signal 5 (consent history): no IT context, unsolicited external link. Illicit indicator. Four of five signals point illicit. The corporate IP is the only benign signal, and it is inherent to the attack pattern (the user consents from their own device). Treat as a malicious consent. Begin containment: revoke the consent, disable the service principal, then trace what the application accessed between 14:22 and now.

Consent phishing triage: five-signal assessment

When a consent grant is flagged or reported, score these five signals against the consent record. Three or more illicit indicators warrants containment first, investigation second.

1. Timing correlation

Does the consent fall within minutes of a phishing email, a suspicious link click, or a user-reported social engineering attempt? Strongest single signal. Check: email log, Teams/chat message log, browser proxy log for the link click that preceded the consent.

2. Permission scope vs stated purpose

Are the permissions proportionate to what the application claims to do? A "calendar sync" requesting Mail.ReadWrite is over-broad. A "file viewer" requesting Mail.Read is over-broad. The name is the claim; the scopes are the capability.

3. Application metadata

Publisher verification status, application registration age, whether the app ID appears in your directory's enterprise-applications list. Weakest signal alone; strongest when it compounds with timing or scope.

4. Consent origin IP

Was the consent granted from the user's normal location or from an anomalous IP? Note: in consent phishing, the user clicks Allow from their own device, so a corporate IP does not exonerate. An anomalous IP strengthens the illicit reading (the session itself may be compromised).

5. Consent context

Is there an IT ticket, a documented rollout, or a procurement record for this application? Does the user recognize it as a tool they requested? No context + unfamiliar application = illicit indicator. Established context + recognized tool = legitimate indicator.

Where this leads: you can now identify a consent-phishing attack and assess a consent grant against five weighted signals. The next step is understanding what happens after the consent is recorded: the application signs in under its own identity as a service principal, and the triage question shifts from "was this consent legitimate" to "what is this application doing."

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →