{
	"id": "f8a425d5-48fe-4739-a344-d80d212867d1",
	"created_at": "2026-04-06T02:13:05.974933Z",
	"updated_at": "2026-04-10T13:12:45.97511Z",
	"deleted_at": null,
	"sha1_hash": "5f7940b2d1b5041925cbd39b20a6c3fcba15922c",
	"title": "Microsoft delivers comprehensive solution to battle rise in consent phishing emails",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 582402,
	"plain_text": "Microsoft delivers comprehensive solution to battle rise in consent\r\nphishing emails\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-07-14 · Archived: 2026-04-06 01:49:37 UTC\r\nMicrosoft threat analysts are tracking a continued increase in consent phishing emails, also called illicit consent\r\ngrants, that abuse OAuth request links in an attempt to trick recipients into granting attacker-owned apps\r\npermissions to access sensitive data.\r\nThis blog offers a look into the current state of consent phishing emails as an initial attack vector and what\r\nsecurity administrators can do to prevent, detect, and respond to these threats using advanced solutions like\r\nMicrosoft Defender for Office 365. Consent phishing attacks aim to trick users into granting permissions to\r\nmalicious cloud apps in order to gain access to user’s legitimate cloud services. The consent screen displays all\r\npermissions the app receives; and because the cloud services are legitimate, unsuspecting users accept the terms or\r\nhit ‘enter,’ which grants the malicious app those requested permissions.\r\nConsent phishing attacks are a specialized form of phishing, so they require a comprehensive, multi-layer defense.\r\nIt’s important for system administrators to gain visibility and control over apps and the permissions these apps\r\nhave in their environment. User consent settings with consent policies in Azure Active Directory enable\r\nadministrators to manage when end users can grant consent to apps. A new app governance add-on feature in\r\nMicrosoft Defender for Cloud Apps (previously Microsoft Cloud App Security) provides organizations the\r\nvisibility to enable them to quickly identify when an app exhibits anomalous behavior.\r\nMicrosoft has previously warned against these application-based attacks as many organizations shifted to remote\r\nwork force at the onset of the COVID-19 pandemic. Microsoft’s Digital Crimes Unit (DCU) has in the past also\r\ntaken steps to disrupt cybercriminal infrastructure used for a particular consent phishing campaign.\r\nThe state of consent phishing attacks\r\nConsent phishing attacks abuse legitimate cloud service providers, including Microsoft, Google, and Facebook,\r\nthat use OAuth 2.0 authorization—a widely used industry protocol that allows third-party apps to access a user’s\r\naccount and perform actions on their behalf.\r\nThe goal of these attacks is to trick unsuspecting users into granting permissions (consent) to malicious attacker-owned applications. This is different from a typical credential harvesting attack, where an attacker looking to steal\r\ncredentials would craft a convincing email, host a fake landing page, and expect users to fall for the lure. If the\r\nattempt is successful, user credentials are then passed on to the attacker.\r\nIn a consent phishing attack, the user sign-in takes place at a legitimate identity provider, rather than a fake sign-in\r\npage, in an attempt to trick users into granting permissions to malicious attacker-controlled applications. Attackers\r\nuse the obtained access tokens to retrieve users’ account data from the API resource, without any further action by\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 1 of 8\n\nthe user. Targeted users who grant the permissions allow attackers to make API calls on their behalf through the\r\nattacker-controlled app. Depending on the permissions granted, the access token can also be used to access other\r\ndata, such as files, contacts, and other profile details.\r\nMicrosoft Defender for Office 365 data shows an increasing use of this technique in recent months.\r\nFigure 1. OAuth phishing URL trend from October 2020\r\nIn most cases, consent phishing attacks do not involve password theft, as access tokens don’t require knowledge\r\nof the user’s password, yet attackers are still able to steal confidential data and other sensitive information.\r\nAttackers can then maintain persistence in the target organization and perform reconnaissance to further\r\ncompromise the network.\r\nA typical consent phishing attack follows this attack chain:\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 2 of 8\n\nFigure 2. Consent phishing attack flow\r\nAttackers typically configure apps so that they appear trustworthy, registering them using names like\r\n“Enable4Calc”, “SettingsEnabler”, or “Settings4Enabler,” which resemble legitimate business productivity app\r\nintegrations. Attackers then distribute OAuth 2.0 URLs via conventional email-based phishing attacks, among\r\nother possible techniques.\r\nClicking the URL triggers an authentic consent prompt, asking users to grant the malicious app permissions. Other\r\ncloud providers, such as Google, Facebook, or Twitter, display consent prompts or dialog boxes that request for\r\nusers’ permissions on behalf of third-party apps. The permissions requested vary depending on the app.\r\nFigure 3. OAuth apps gain permission by displaying a “Permissions requested” dialog that shows what\r\npermissions the third-party is requesting\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 3 of 8\n\nWhen users click “accept” or “allow”, the app obtains an authorization code that it redeems for an access token.\r\nThis access token is then used to make API calls on behalf of the user, giving attackers access to the user’s email,\r\nforwarding rules, files, contacts, and other sensitive data and resources.\r\nConsent phishing campaign: A case study\r\nA recent consent phishing attack we tracked employed social engineering techniques to craft an email that\r\nimpersonates a business growth solutions company. The message falsely claims to instruct users to review and\r\nsign a document, signaling a sense of urgency for the user—a tactic that is apparent in most phishing emails.\r\nFigure 4. Sample email campaign with a Review Doc(s) \u0026 Sign link pointing to an OAuth URL\r\nThere are several phishing techniques in this email campaign: brand impersonation, personalized email text\r\nspecific to the recipient or organization, and a recognizable sense of urgency as a social engineering lure.\r\nWhat differentiates this attack from others is how the OAuth URL serves malicious content. To the email\r\nrecipient, the “Review Doc(s) \u0026 Sign” OAuth URL appears legitimate, while URL is formatted with the identity\r\nprovider URL as well.\r\nThe pattern we observed in this instance displays the the OAuth URL as “login.microsoftonline.com.” Other\r\nproviders, such as Google, also format OAuth URLs in a similar manner.\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 4 of 8\n\nFigure 5. Observed patterns in OAuth URLs pointing to attacker’s domain\r\nGiven the recent trend in OAuth abuse, we encourage organizations to look into and prevent this critical threat,\r\nbeyond what traditional security measures offer.\r\nHow Microsoft delivers comprehensive, coordinated defense against consent\r\nphishing\r\nThe sophisticated and dynamic threat landscape exemplified by consent phishing attacks demonstrates the\r\nimportance of employing a Zero Trust security model with a multi-layer defense architecture.\r\nMicrosoft 365 Defender provides comprehensive protection against consent phishing by coordinating defense\r\nacross domains using multiple solutions: Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps,\r\nand Azure Active Directory.\r\nThe Microsoft identity platform helps prevent consent phishing in a few ways.\r\nWith risk-based step-up consent, Azure Active Directory (Azure AD) blocks end users from being able to grant\r\nconsent to apps that are considered potentially risky. For example, a newly-registered multi-tenant app that has not\r\nbeen publisher-verified might be considered risky, and end users would not be allowed to grant consent, even if\r\nthey visit the OAuth phishing URL.\r\nAzure AD puts admins in control over when users are allowed to grant consent to apps. This is a powerful\r\nmechanism for preventing the threat in the first place, and Microsoft recommends that organizations review\r\nsettings for when users can grant consent. Microsoft recommends choosing the out-of-the-box option where users\r\nare only allowed to consent to apps from verified publishers, and only for chosen, lower risk permissions. For\r\nadditional granularity, admins can also create custom consent policies, which dictate the conditions for allowing\r\nusers to grant consent, including for specific apps, publishers, or permissions.\r\nBlocking consent phishing emails with Microsoft Defender for Office 365\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 5 of 8\n\nMicrosoft Defender for Office 365 uses advanced filtering technologies backed by machine learning, IP and URL\r\nreputation systems, and unparalleled breadth of signals to provide durable protection against phishing and other\r\nmalicious emails, helping to block consent phishing campaigns out of the gate. Anti-phishing policies in Defender\r\nfor Office 365 help protect organizations against impersonation-based phishing attacks.\r\nMicrosoft researchers are constantly tracking OAuth 2.0 URL techniques and use this knowledge to provide\r\nfeedback to email filtering systems. This helps ensure that Microsoft Defender for Office 365 is providing\r\nprotection against the latest OAuth phishing attacks and other threats. Signals from Microsoft Defender Office 365\r\nhelps identify malicious apps and prevent users from accessing them, and provides rich threat data that\r\norganizations can query and investigate using advanced hunting capabilities.\r\nIdentifying malicious apps with Microsoft Defender for Cloud Apps\r\nMicrosoft Defender for Cloud Apps policies such as activity policies, anomaly detection, and OAuth app policies\r\nhelp organizations manage apps connected to their environment. The new app governance add-on feature to\r\nMicrosoft Defender for Cloud Apps helps organizations:\r\nDefine appropriate Microsoft 365 app behavior with data, users, and other apps\r\nQuickly detect unusual app behavior activity that varies from the baseline, and\r\nDisable an app when it behaves differently than expected\r\nFigure 6. App governance in Microsoft 365 Compliance\r\nTo give organizations and users confidence in using apps in the Microsoft 365 ecosystem, the Microsoft 365 App\r\nCompliance Program enables app developers to establish authenticity of their applications. The program includes\r\npublisher verification, publisher attestation, and Microsoft 365 certification.\r\nInvestigating and hunting for consent phishing attacks\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 6 of 8\n\nSecurity operations teams can use advanced hunting capabilities in Microsoft 365 Defender to locate consent\r\nphishing emails and other threats. Microsoft 365 Defender consolidates and correlates email threat data from\r\nMicrosoft Defender for Office 365, app signals from Microsoft Defender for Cloud Apps, and intelligence from\r\nother Microsoft services to provide a comprehensive end-to-end view of attacks. Security operations teams can\r\nthen use the rich tools in Microsoft 365 Defender to investigate and remediate attacks.\r\nOAuth URL pattern redirects to domain with unusual TLD\r\nThe consent phishing campaigns we described in this blog used a variety of unusual TLDs for communication\r\nwith the attacker infrastructure. Use query below to find inbound emails with suspicious OAuth patterns. The\r\nsuggested TLDs are based on our investigations. Security teams can modify the TLDs to expand the search. Run\r\nquery in Microsoft 365 Defender.\r\nBest practices for protecting organizations against consent phishing\r\nIn addition to taking full advantage of the tools available to them in Microsoft 365 and Microsoft Azure,\r\nadministrators can further strengthen defenses against consent phishing by following these measures:\r\nConfigure user consent settings to only allow user consent for apps from verified publishers, for specific\r\nlow-risk permissions.\r\nIncrease end user awareness on consent phishing tactics as part of security training. Training should\r\ninclude checking for poor spelling and grammar in phishing mails or the application’s consent screen as\r\nwell as spoofed app names and domain URLs that are made to appear to come from legitimate applications\r\nor companies.\r\nEducate the organization on how permissions and consent frameworks work. Understand the data and\r\npermissions an application is asking for and understand how permissions and consent work within our\r\nplatform. Ensure administrators know how to manage and evaluate consent requests and investigate and\r\nremediate risky OAuth applications.\r\nAudit apps and consented permissions in your organization to ensure applications being used are accessing\r\nonly the data they need and adhering to the principles of least privilege.\r\nCreate proactive app governance policies to monitor third party app behavior on the Microsoft 365\r\nplatform since policy driven and machine-learning initiated remediations address app behaviors both for\r\ncommon and emerging threat scenarios.\r\nAdditional resources\r\nApp governance add-on feature for Microsoft Defender for Cloud Apps is initially available as a public preview to\r\nexisting Microsoft Defender for Cloud Apps customers in North America and Europe with other regions being\r\nadded gradually the next few months.\r\nTo get started with app governance, visit our quick start guide. To learn more about app governance, visit our\r\ndocumentation. To launch app governance portal in Microsoft 365 Compliance center, go to\r\nhttps://aka.ms/appgovernance.\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 7 of 8\n\nRefer to our documentation for reference on configuring and managing user consent and app permissions in Azure\r\nAD. For more information on Microsoft Defender for Cloud Apps refer to our blog and Microsoft Defender for\r\nCloud Apps explainer video.\r\nSource: https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-em\r\nails/\r\nhttps://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/"
	],
	"report_names": [
		"microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails"
	],
	"threat_actors": [],
	"ts_created_at": 1775441585,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f7940b2d1b5041925cbd39b20a6c3fcba15922c.pdf",
		"text": "https://archive.orkl.eu/5f7940b2d1b5041925cbd39b20a6c3fcba15922c.txt",
		"img": "https://archive.orkl.eu/5f7940b2d1b5041925cbd39b20a6c3fcba15922c.jpg"
	}
}