Consent Phishing Turns OAuth Grants into Long-Lived Access Tokens
Security researchers warn that phishing via OAuth consent screens can bypass MFA by stealing refresh tokens, enabling attackers to access mail, drive, and calendars across Microsoft 365 tenants. EvilTokens reportedly compromised 340+ orgs in five countries by tricking users into approving scopes, leaving tokens valid for weeks or months unless explicitly revoked. The risk arises because consent flows sit outside traditional authentication controls and can bridge multiple apps—a 'toxic combination.' Mitigations include continuous OAuth/app inventory, monitoring grant age and re-consent, cross-application identity tracking, conditional access on consent events, and token-level revocation; platforms like Reco claim to map these grants to an identity graph for proactive detection and revocation.