Consent phishing is a specialized type of phishing attack that exploits the OAuth 2.0 authorization protocol to gain unauthorized access to user data and cloud services by tricking users into granting permissions to malicious applications. Rather than stealing login credentials directly, consent phishing manipulates victims into consenting to data access through the legitimate OAuth permission flow.
A consent phishing attack has two core components: the OAuth 2.0 authorization protocol and social engineering.
How a consent phishing attack works
The attacker registers a malicious application with an OAuth 2.0 provider (such as Microsoft or Google), giving it a convincing name and description that suggests it is legitimate or useful.
The attacker sends a phishing email to the targeted user, inviting them to grant permission to the malicious app. The email may claim the app is required for a business process, IT service, or productivity tool.
The user clicks on the OAuth 2.0 authorization URL, which generates an authentic-looking permission request screen—hosted by the legitimate OAuth provider—asking the user to grant the application access to their data.
If the user consents, an authorization code is sent to the attacker, who exchanges it for access tokens that provide ongoing access to the victim's data, email, contacts, files, or other resources.
What makes consent phishing particularly dangerous is that it bypasses traditional authentication security measures entirely. Even users with strong passwords, multi-factor authentication (MFA), or passwordless authentication setups are vulnerable because no credentials are ever collected—only permissions are granted. The malicious application can then access, exfiltrate, or manipulate data persistently, even after password changes.
Pangratis detects consent phishing attacks by analyzing email content for OAuth permission requests and identifying suspicious application authorization attempts before users interact with malicious links.