Consent Phishing Attack: All You Need to Know

A consent phishing scam tricked a user into granting access to their account to a malicious third-party app.

This technique is effective against users with strong passwords, multi-factor authentication, and even passwordless accounts.

[{"selector":"#anim-45053165-055c-453c-bb61-14661724c1df [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-c595e28b-9fa0-4605-8985-b4ba3923d0d9","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-49ba056b-fa85-4679-8a76-0372df5beae1","keyframes":{"transform":["translate3d(0px, 111.80016%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

The attacker first registers an OAuth 2.0 app with the target platform (e.g. Microsoft 365 or Google Workspace).

[{"selector":"#anim-64dd1987-1783-4156-9dec-b12e7ce974c2 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-9798c84c-8e24-400a-9817-f07d04c7b854","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-ac0aa482-8627-4e81-abc5-d8b450d45c88","keyframes":{"transform":["translate3d(0px, 130.70988%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Depending on the platform, this may require minimal requirements.

[{"selector":"#anim-9fc466b9-a6a5-4fe4-b62f-bb80d7855d90 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-cc9dd574-9b23-4de8-9e4a-45893a6a4203","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-da529ff8-4112-4a7f-81e9-597939425d33","keyframes":{"transform":["translate3d(0px, 136.90112%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Through phishing tactics, users are then lured into giving the app access to their accounts.

[{"selector":"#anim-ef4b8879-3ed1-4db8-beae-6df1bf247216 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-de45dba6-6da0-4e2c-ace5-90ca429f489f","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d67a0227-19e9-4d94-a2e4-b9b81425d760","keyframes":{"transform":["translate3d(0px, 123.13968%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

The user is then presented with a legitimate consent screen for the target platform.

[{"selector":"#anim-e1eb0e0a-1087-4d40-ad37-1e6a02f69b90 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-5c0beac1-7b37-4e86-802c-355984e23e72","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f6aa4326-a784-4316-933c-c9aef210a406","keyframes":{"transform":["translate3d(0px, 116.72056%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Using these permissions, attackers can read and write any files you have access to.

[{"selector":"#anim-030bf482-3c14-4023-be9e-bea7bb9e1217 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-f2e7cb03-5974-4ea6-91ef-081b80f63ddc","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-0e7b52ed-80fa-4a49-abc4-296653261a6d","keyframes":{"transform":["translate3d(0px, 119.03189%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Also, they got permission to send emails as you.

[{"selector":"#anim-ba75f849-2f2b-4394-a156-db4cf70004c7 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-23444b63-4725-4910-bb36-3e0d15b58a54","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e002e70d-5df3-4fce-928d-7268a34d4833","keyframes":{"transform":["translate3d(0px, 160.31751%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

In the final step, the attackers requested permission to set up a mail forwarding rule in your email settings.

[{"selector":"#anim-647cf9fe-e294-4492-b6f6-c590f900d864 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-3711e58d-88c7-41d2-838a-40442bbdcb09","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e5df4929-7195-4f3a-abc3-5abcca73b905","keyframes":{"transform":["translate3d(0px, 130.01658%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

It will forward all your emails to them directly without requiring them to log in.

[{"selector":"#anim-b1c86577-d0dd-4de9-8f18-557f00b9ac34 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-9b19f897-36ef-4b40-9314-df7800f86bab","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-00d3fbaf-45f2-4713-b5a4-6e59c388d36f","keyframes":{"transform":["translate3d(0px, 136.85373%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Attackers can continue doing this until you delete the 0Auth app underlying it.

[{"selector":"#anim-a603e75b-1dd7-4a76-b5c5-35b5f1952eb6 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-cd59d56f-9b23-4fdb-b5cf-49f2f6474ce2","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-a6afb7ee-4ba1-4852-9e82-92ed16ad0f24","keyframes":{"transform":["translate3d(0px, 127.66890%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

So, think twice before granting access to any unknown app.

[{"selector":"#anim-867f23f5-d5dc-49ba-8e4b-326ab74e032a [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(1.2398970739013748e-12%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] [{"selector":"#anim-dd82c3d7-950c-428a-8e8d-18d79f944000","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d30db862-f5e9-49ee-b2cb-8c24f7a72596","keyframes":{"transform":["translate3d(0px, 118.99336%, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}]

Share it

[{"selector":"#anim-5add6b81-ff52-477c-b8de-2cb6fc4e4608","keyframes":[{"transform":"scale(1)","offset":0},{"transform":"scale(1.5)","offset":0.33},{"transform":"scale(0.95)","offset":0.66},{"transform":"scale(1)","offset":1}],"delay":0,"duration":1450,"easing":"ease-in-out","fill":"both","iterations":1}] [{"selector":"#anim-bb4f31e1-0326-4fac-94f1-1f5b57ac738b","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-db0df5fa-0fd0-4b2b-a61b-8b159491372d","keyframes":{"transform":["translate3d(-135.98327%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-92ef63e4-b30b-49e1-9cc3-f86fad314470","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-6f774627-161b-44cb-9d37-6789152913ab","keyframes":{"transform":["translate3d(135.98327%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3d84318f-35ea-456d-8692-3b2e00fb9057","keyframes":{"transform":["translate3d(-135.98327%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-492b1215-d494-48b2-bcfd-e50a809606ad","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-7a2fa5ff-e572-4a24-a097-ec20a5f20f1b","keyframes":{"transform":["scale(0.15)","scale(1)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"forwards"}] [{"selector":"#anim-6c57a2e0-19d2-4a93-b08d-7407814bd195","keyframes":{"transform":["translate3d(136.82008%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-a69aee61-b7b0-4eb2-8667-cc11c507dc7d","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-23c02bd4-69ff-4b9e-a36c-878ea56664ad","keyframes":{"transform":["scale(0.15)","scale(1)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"forwards"}] [{"selector":"#anim-9778f87d-f75a-4deb-9a58-af6e845d3111","keyframes":[{"transform":"scale(1)","offset":0},{"transform":"scale(1.5)","offset":0.33},{"transform":"scale(0.95)","offset":0.66},{"transform":"scale(1)","offset":1}],"delay":0,"duration":1450,"easing":"ease-in-out","fill":"both","iterations":1}] Arrow

A consent phishing scam tricked a user into granting access to their account to a malicious third-party app.

This technique is effective against users with strong passwords, multi-factor authentication, and even passwordless accounts.

The attacker first registers an OAuth 2.0 app with the target platform (e.g. Microsoft 365 or Google Workspace).

Depending on the platform, this may require minimal requirements.

Through phishing tactics, users are then lured into giving the app access to their accounts.

The user is then presented with a legitimate consent screen for the target platform.

Using these permissions, attackers can read and write any files you have access to.

Also, they got permission to send emails as you.

In the final step, the attackers requested permission to set up a mail forwarding rule in your email settings.

It will forward all your emails to them directly without requiring them to log in.

Attackers can continue doing this until you delete the 0Auth app underlying it.

So, think twice before granting access to any unknown app.

Share it

Share it

If you like

this, kindly

with your

Friends