In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, more than 340 Microsoft 365 organizations in five countries were compromised.
Platform targets received a message asking them to enter a short code at microsoft.com/devicelogin to complete a regular MFA challenge and left believing they had confirmed a routine sign-in. In reality, we were giving the operator a valid refresh token scoped to mailboxes, drives, calendars, and contacts, with a tenant policy lifetime rather than a session.
The operator never required a password, tripped an MFA prompt, or generated a sign-in event that appeared to be an intrusion. This attack was successful because the OAuth consent screen is an instinctual click, and the controls built to stop credential phishing don’t take the consent layer into account.
Security researchers refer to the resulting situation as consent phishing or OAuth permission abuse. Phishing clicks have been a problem for the past decade, giving away passwords. Today’s significant phishing clicks pass refresh tokens, which are structurally under identity controls that most organizations still treat as a perimeter.
Why MFA cannot recognize OAuth permissions
Credential phishing passes usernames and passwords that need to be run again at some point. Most identity stacks currently request a second element on rerun. Attacker-in-the-middle (AiTM) kits also generate session cookies associated with sign-in events that the SIEM correlates with geography, device, and movement patterns.
Figure 1: Credential phishing leaves a sign-in trail that a SIEM can correlate.
OAuth grants do not generate regenerated credentials. The user authenticates with a legitimate identity provider, completes an MFA challenge with a legitimate domain, and[同意する]Click. The token that an attacker walks away with is that the system is working as designed. Signed by the identity provider, scoped to the user’s consent, and updateable. MFA can’t block it because it’s already happened.
Figure 2: OAuth authorization leaves no replays, only renewable tokens.
Another problem is that the refresh token causes the window to expand. Tokens issued by EvilTokens survived password resets and were valid for weeks or months depending on tenant configuration. Updating the password did not invalidate the grant. Only conditional access policies requiring explicit revocation or re-consent closed it.
How consent became normalized
This attack vector has been around since OAuth became the standard. What has changed is the operating environment. Users have been trained to click through consent screens as quickly as they once clicked through cookie banners. All AI agents install Surface One. There is always one problem with any productivity integration. All browser extensions that access your SaaS account will display your SaaS account. The amount of legitimate consent that knowledge workers see in a month exceeds what existed when the original OAuth threat model was created.
The scopes themselves use language that does not map clearly to risks. While “reading email” may seem limited in scope, it actually includes all messages, attachments, and shared threads that the user has access to. The scope “access to files when you are away” means a long-lived token that is issued without revocation while the user is present. The gap between the text of the agreement and the operational scope is where attackers operate.
A toxic combination is formed under the application owner
A single OAuth consent gives an attacker a scoped foothold within a single application. When these scaffolds are erected, deeper risks are formed.
Finance users grant AI meeting summarizer access to their calendars and mailboxes. The same user then gives Productivity Assistant access to the company’s shared drive. The third grant connects the CRM enrichment tool to the customer database. Each one was approved at once. No application owners approved this combination. The risk surface is now three scopes that intersect through one person’s identity, and a meeting abstractor’s intrusion can reach draft contracts and customer records through the same person.
This is called a toxic combination. This consists of a breakdown of permissions between applications bridged by OAuth grants, integrations, or AI agents that no single application owner has ever signed off on as a unique risk surface. The bridge exists outside of all application audit logs and cannot be seen from any application audit log.
Figure 3: A toxic combination between two SaaS apps that the owner does not allow to be used together.
Installing MCP, clicking OAuth consent, and granting browser extensions are bridges that are each issued at the speed of a single click. Model Context Protocol (MCP) servers are emerging as the next OAuth-style attack surface, allowing agents to gain limited scope through the same trust-once mechanism that consent screens already use.
The 2025 Salesloft Drift incident showed what this could look like on a large scale. The compromised downstream connector spread to over 700 Salesforce tenants via OAuth tokens authorized by customers. Each customer has approved the integration. No one allowed cascading.
Things to check
To close this gap, security programs must treat OAuth consent in the same way they already treat authentication. Asking a few questions will reveal where the real gaps are.
Areas to check Actual OAuth Application Inventory Any third-party apps that have refresh tokens in your tenant are updated continuously, not during audits. Age of Grant and Reconsent Tokens issued without reconsent more than 30 days ago were displayed as queued. Cross-application ID An ID that holds grants across three or more SaaS applications and is flagged for review. Bridging Agents and Integrations AI agents and integrations bridge two systems that the application owner has not authorized together. Policy to retrigger on consent events as well as conditional access sign-in events on consent. Token-level revocation A playbook that revokes a single OAuth token instead of suspending the user.
Procedural discipline continues to grow. Bridges exist in a graph that is not owned by individual applications and are created at the speed of an MCP install or OAuth consent click. To continually see that graph, you need a platform built to monitor the runtime layer where the bridges are actually formed.
Where does an AI security platform fit?
A new class of platforms handles much of this automatically. They map all OAuth grants, AI agents, and third-party integrations to an identity graph the moment they are issued, rather than waiting for the next audit, exposing bridges, unused tokens, and policy deviations as a continuous operational queue.
A prime example is Reco. Unify AI agent security, identity governance, and threat detection into one control plane. Its identity knowledge graph connects human and non-human identities to applications, OAuth permissions, and integrations that can be accessed across SaaS assets.
Figure 4: Reco’s view of the AI agent’s OAuth grants and connected accounts.
The platform continuously discovers AI agents and OAuth grants as they appear, maps each scope to an authorized identity, monitors behavior for policy deviations, and revoke access at the token level rather than the user account. This gives security teams visibility into the runtime layer where these trust relationships are actually formed.
Consent phishing probably won’t be noticeable for very long. Although there have been years of investment and scrutiny in phishing-resistant authentication, the consent layer still operates primarily on trust. Bridging this gap means treating OAuth permissions and AI agent connections with the same visibility, monitoring, and revocation disciplines that are already applied to authentication itself.
Learn more about Reco’s AI security platform.
Source link
