The world of online security is in a constant state of evolution, and the latest threat on the horizon is a cunning and insidious one: consent phishing. This emerging tactic leverages the very mechanisms designed to streamline user authentication, OAuth consent screens, to bypass multi-factor authentication (MFA) and gain unauthorized access to sensitive data. The attack vector, known as OAuth grant abuse, has been around since OAuth became the standard for authorization, but the environment has changed, and so has the threat landscape.
In February 2026, a phishing-as-a-service platform called EvilTokens went live, compromising over 340 Microsoft 365 organizations across five countries. The attack worked by tricking users into entering a short code at a malicious website, which then granted the attacker a valid refresh token with broad access to the victim's mailbox, drive, calendar, and contacts. This refresh token, scoped to the user's account and with a long lifespan, allowed the attacker to remain undetected for weeks or months, even after password resets.
What makes this attack particularly insidious is that it bypasses the very controls designed to prevent credential phishing. The OAuth consent screen, which users instinctively click through, is not scrutinized by MFA, which focuses on the sign-in event. This means that the attacker can walk away with a valid token, signed by the identity provider and scoped to the user's approved permissions, without triggering any security alerts.
The issue lies in the way OAuth grants are structured. Unlike traditional credential phishing, where a username and password are stolen and replayed, OAuth grants produce no replayed credentials. The user authenticates with the legitimate identity provider, completes MFA, and then clicks 'Accept'. The token issued is valid, scoped to the user's approved permissions, and can be refreshed. MFA cannot block it because the authentication process has already been completed.
Furthermore, the problem is exacerbated by the long lifespan of refresh tokens. These tokens can survive password resets and remain valid for weeks or months, depending on the tenant configuration. Only explicit revocation or conditional access policies demanding re-consent can invalidate them. This means that even if a user's password is changed, the attacker's token may still be valid, creating a prolonged window of opportunity for malicious activity.
The normalization of OAuth consent screens has contributed to this problem. Users have become accustomed to clicking through these screens at a rapid rate, often without fully understanding the permissions they are granting. Every AI agent, productivity integration, and browser extension that interacts with SaaS accounts surfaces a consent screen, leading to a deluge of legitimate consent requests that knowledge workers encounter monthly. This volume far exceeds what was considered when OAuth threat models were initially developed.
The language used in OAuth scopes also contributes to the risk. Phrases like 'Read your mail' or 'Access files when you're not present' may sound limited, but they grant broad access to user data. This gap between consent language and operational reach is where attackers operate, exploiting the trust users place in these mechanisms.
The real danger emerges when these OAuth grants intersect across different applications. A user might grant an AI meeting summarizer access to their calendar and mailbox, and later approve a productivity assistant for the company's shared drive. A CRM enrichment tool might then be connected to the customer database. Each of these approvals is given independently, and no single application owner sanctioned the combination. This creates a 'toxic combination', where the compromise of one application can lead to unauthorized access to data in other applications, all through a single human identity.
The 2025 Salesloft-Drift incident exemplifies this issue at scale. A compromised downstream connector spread across over 700 Salesforce tenants through OAuth tokens that customers had legitimately approved. Each customer authorized the integration, but none authorized the cascade. This highlights the need for better visibility and control over these OAuth-based connections.
To address this evolving threat, security programs must treat OAuth consent with the same rigor as authentication. This involves reviewing the following areas:
- OAuth application inventory: Identifying every third-party app holding refresh tokens and ensuring they are not continuously refreshed without audit.
- Grant age and re-consent: Flagging tokens issued over 30 days ago without re-consent for further investigation.
- Cross-application identities: Identifying identities holding grants across multiple SaaS applications and prioritizing them for review.
- Agent and integration bridges: Examining AI agents and integrations that bridge two systems without owner approval.
- Conditional access on consent: Implementing policies that re-trigger on consent events, not just sign-in events.
- Token-level revocation: Developing a playbook for revoking individual OAuth tokens rather than suspending entire user accounts.
However, procedural discipline alone is not enough. The bridges between applications exist in a complex graph that no individual application owns, and they are created at a rapid pace. To effectively monitor and manage these connections, a platform is needed that can continuously watch the runtime layer where these bridges form.
This is where AI security platforms come into play. These platforms automatically map OAuth grants, AI agents, and third-party integrations into the identity graph as they are issued, identifying bridges, unused tokens, and policy deviations. For instance, Reco, a leading AI security platform, connects human and non-human identities to the applications, OAuth grants, and integrations they can access across the SaaS estate. It continuously discovers and monitors AI agents and OAuth grants, mapping each scope back to the approving identity, and revokes access at the token level.
In conclusion, consent phishing is a growing concern in the digital landscape, leveraging OAuth consent screens to bypass MFA and gain unauthorized access. The normalization of OAuth consent, the complexity of application intersections, and the long lifespan of refresh tokens contribute to the challenge. To combat this threat, security programs must treat OAuth consent with the same vigilance as authentication, and AI security platforms can play a crucial role in automating the monitoring and management of these complex connections.
