What Is Consent Phishing? Identifying Third-Party App Permission Attacks

Consent phishing is a tactic where cybercriminals employ a deceptive yet sophisticated approach to access user accounts without requiring a password. It typically begins with a phishing email, perhaps a message prompting the user to update their password. If the user clicks the link, they're redirected not to a login page, but to a legitimate Microsoft 365 permission request screen. This screen might display language such as:

• “Read your contacts”

• “Read and write access to your mail”

• “Send mail as you”

• “Sign you in and read your profile”

If the user approves the request, they unwittingly grant high-level access to a third-party app controlled by the attacker. From that moment, the attacker can act on behalf of the user, reading and sending emails, accessing sensitive data, and more without ever needing to know the user’s credentials.

By registering malicious apps through legitimate authorization protocols and using social engineering tactics, attackers can bypass both passwords and multi-factor authentication (MFA), making consent phishing especially dangerous.

Let’s explore how consent phishing works and how to protect your organization from these invisible threats.

There are two components for a successful consent phishing attack: The OAuth 2.0 authorization protocol and social engineering. Here’s how each one works during a consent phishing attack.

OAuth 2.0 providers are used to allow applications to access a user's resources without needing passwords. It's a widely accepted industry standard that is ubiquitous across the internet. If a user wants to use a new application, they may be presented with an option to sign up using their Facebook account or Google account. If they choose this option, Facebook or Google will send an authorization code that will share the information needed to create an account.

Attackers then tend to exploit this permission step. They can register a malicious app with an OAuth 2.0 provider to trick users into thinking it's a legitimate and trusted source. After all, an average person may see the permission request frequently while browsing. It won’t automatically look unusual or suspicious.

Social engineering is also a crucial part of a consent phishing attack. Not only do they use phishing techniques to convince a recipient to trust an email, but they also play on the user's desire to click on links. Consent to grant permissions is commonplace on the Internet, and people often accept it without giving it a second thought.

Here is what a consent phishing attempt usually looks like:

• The attacker registers a malicious app with an OAuth 2.0 provider.

• The attacker sends a phishing email to a targeted user asking to grant permission to the malicious app.

• The user clicks on the OAuth 2.0 URL, which generates an authentic permission request.

• The user grants access to a malicious app, and an authorization code is sent to the attacker.

• The authorization code is redeemed for access tokens which an attacker uses to gain access to user data.

While this is the general process of a consent phishing attack, in real life, a consent phishing attack follows a simple but effective pattern. This pattern takes advantage of everyday work habits. An employee receives what appears to be a normal email from someone they trust at work, complete with familiar company logos and formatting. The message states that a document requires their immediate attention.

When the employee clicks the link, they see what appears to be a typical file-sharing page. The malicious phishing application then displays a permission request that resembles the authorization screens people commonly see when using work apps and tools.

Since the employee is used to clicking "allow" on these types of requests as part of their daily routine, they approve it without carefully reading what permissions they're actually granting or checking if the application is legitimate. This moment is when the attack succeeds - the phishing app now has real access to their accounts.

After granting permission, the system shows an error message saying the document can't be opened right now. This tricks the employee into thinking it was just a temporary glitch, giving them a reasonable explanation to move on without worrying about it.

The employee goes back to work, not knowing that the phishing application is now actively accessing their corporate accounts and data. This attack method works so well because it uses the same legitimate permission systems that employees interact with every day. Security systems have trouble detecting it because the user themselves technically authorized the access. The attack succeeds by exploiting routine workplace habits and the trust people place in familiar-looking communications.

Meanwhile, an attacker has gained full access to an account without needing login credentials or MFA codes. Depending on the granted permissions, an attacker may have the ability to read emails, alter mailbox settings, or even send emails as the user. This persistent access allows attackers to conduct reconnaissance, exfiltrate sensitive data, and potentially launch additional attacks against other users or systems within the organization.

At this point, they can launch a third-party app attack.

Here's a real-world example of a consent phishing attack identified by Abnormal that demonstrates how these sophisticated threats operate in practice:

Here's what's happening in this attack. On the surface, this appears to be a standard IT notification about password expiration - the type of email employees receive regularly. The sender appears legitimate, which makes the attack particularly effective.

However, the email originates from a compromised domain, which allows it to bypass sender authentication methods that would typically flag suspicious messages. When users click the password reset link, they're redirected to what appears to be a legitimate Microsoft permission request rather than a standard password reset page.

The critical issue is that this application requests read/write access to the user's email account. If permission is granted, attackers gain the ability to send and receive emails as the user without needing actual login credentials.

Abnormal identified this attack through several indicators. The sender's name closely resembled a legitimate administrator account, but the associated email address was newly created. Additionally, the malicious link contained the target's email address within the URL structure, a technique commonly used by attackers for tracking purposes.

These detection factors allowed Abnormal to flag the email as a credential phishing attack and automatically remediate it before user interaction.

Consent phishing attacks are growing rapidly because they exploit several key weaknesses in how organizations protect themselves. The primary issue is that most security teams cannot properly track or monitor third-party applications and the permissions users grant to them. This creates a significant blind spot, allowing attackers to gain access to email accounts and steal sensitive information without detection, as their activities appear completely legitimate.

The human factor makes these attacks particularly successful. Today's workers are constantly asked to approve permission requests for various apps and services as part of their normal routine. This has made people less cautious about clicking "allow" when they see these requests. Most employees don't take the time to carefully read what permissions they're granting or verify if the app requesting access is trustworthy.

What makes consent phishing especially dangerous is how it sidesteps traditional security defenses. Standard protection methods like email filtering, threat detection systems, and security monitoring tools are built to catch suspicious or malicious content. However, consent phishing attacks don't look suspicious because they use legitimate authorization systems from trusted companies like Microsoft and Google.

Since the permission request appears to come from a recognized source and follows normal processes, security systems allow it through without question. This means organizations are essentially defenseless against these attacks using their current security tools and need additional steps to prevent them.

While consent phishing presents significant challenges for organizations, implementing a multi-layered defense strategy can effectively reduce the risk of successful attacks. The key is combining advanced technology solutions with strong governance policies and user education. Here are some of the immediate preventative measures:

• Deploy AI-Based Email Security: Implement artificial intelligence-powered email security solutions that can analyze communication patterns and detect anomalous behavior indicative of consent phishing attempts. This technology can identify subtle signs that traditional filters miss, such as unusual sender behavior or suspicious OAuth request patterns, providing an early warning system before users encounter malicious permission requests.
• Implement Security Posture Management: Establish comprehensive security posture management to continuously monitor permission and configuration changes across your entire cloud environment. This visibility allows security teams to quickly identify unauthorized applications or suspicious permission grants, enabling rapid response to potential breaches before attackers can exploit their access.
• Configure Application Consent Policies: Set up strict application consent policies that limit employees to only approving applications from trusted publishers and restrict permissions to low-risk functions. This creates a controlled environment where high-risk permissions require administrative approval, significantly reducing the attack surface for consent phishing attempts.
• Train Administrators on Consent Management: Ensure all administrators understand how to properly evaluate and manage consent requests, including identifying legitimate versus suspicious applications. Well-trained administrators serve as the final checkpoint for high-risk permissions, preventing malicious applications from gaining extensive access to organizational resources.
• Conduct Regular Permission Audits: Perform periodic audits of all installed applications and their granted permissions to verify they align with the principle of least privilege and business requirements. Regular audits help identify dormant malicious applications or permission creep that attackers could exploit over time.
• Establish Application Governance Policies: Create proactive governance frameworks that continuously monitor third-party application behavior and automatically report suspicious activities. These policies provide ongoing oversight of the application ecosystem, ensuring any malicious behavior is quickly detected and addressed. For example, you can establish proactive application-governance rules that alert on unfamiliar scopes such as Mail.Send or Files.ReadWrite.All.
• Provide Security Awareness Training: Deliver comprehensive security awareness training programs that teach employees to recognize the warning signs of consent phishing attempts and understand the importance of carefully reviewing permission requests. Educated users become the first line of defense, often preventing attacks before they can succeed.
• Promote Publisher-Verified Applications: Encourage the use of applications from verified publishers who have undergone security validation processes with major cloud providers. Verified applications significantly reduce the risk of malicious software, as publishers must meet strict security and identity requirements.

Successfully defending against consent phishing requires a comprehensive approach that combines technological solutions with strong policies and user awareness. Organizations that implement these layered defenses create multiple barriers, making it significantly harder for attackers to succeed, even as these threats continue to evolve.

Consent phishing bypasses passwords, MFA, and most legacy defenses. Abnormal combines behavioral AI with cloud posture management to automatically detect and remediate these attacks.

Ready to see how it works?

Request a demo and protect your organization against the next wave of consent phishing.