A new phishing campaign is targeting Microsoft account holders by using a clever twist on OAuth authentication prompts.
Instead of asking users to hand over their passwords directly, attackers are tricking people into granting permission to malicious applications through legitimate-looking Microsoft authorization screens.
This method bypasses traditional password protection and multi-factor authentication, making it particularly dangerous for targeted users and organizations.
Security researchers have identified an increasing number of these sophisticated attacks, where victims receive phishing emails directing them to click links that lead to fake or compromised OAuth consent screens.
Once users click to grant permission, attackers gain legitimate access tokens that allow them to take full control of their Microsoft accounts without ever needing the actual password.
The phishing emails typically appear to come from trusted sources, using urgent language to encourage clicks.
When users follow the link, they’re presented with a Microsoft login page that looks completely authentic.
After entering their credentials, they see a standard OAuth permission prompt asking to grant access to an application. The prompt appears legitimate because it uses genuine Microsoft branding and follows the normal authorization process users have seen many times before.
What makes this attack particularly effective is that users are already trained to expect these permission screens.
Each time someone uses a third-party app with their Microsoft account, they see similar prompts. The attackers capitalize on this familiarity and trust.
Once the victim grants permission, the attacker’s application receives OAuth tokens that provide full account access. These tokens remain valid even if users change their passwords or enable additional security measures.
Traditional phishing attacks ask users to enter passwords, which many organizations now protect with multi-factor authentication.
This newer approach bypasses those protections entirely. The OAuth tokens give attackers direct access to email, files, contacts, and calendar information stored in Microsoft accounts.
For business users, this means potential access to sensitive corporate data, confidential communications, and customer information.
Organizations have particularly high risk because attackers can use compromised accounts as jumping-off points to spread laterally through corporate networks.
They can send emails that appear to come from trusted colleagues, share malicious files, and gather intelligence about internal systems and processes.
Users should never click links in unexpected emails directing them to authorization screens. Instead, open Microsoft account settings directly through your browser.
Look carefully at permission requests if an application is asking for suspicious access levels, decline it.
Organizations should deploy security tools that monitor for unusual OAuth token usage and suspicious application permissions across their Microsoft environments.
Microsoft account holders should also enable all available security features, including conditional access policies that flag unusual sign-in locations and device usage patterns.
Security awareness training should specifically address OAuth phishing techniques, ensuring employees understand that permission prompts require the same scrutiny as direct password requests.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
