Push icon
  • Product
  • Use cases
    SaaS discovery
    SaaS discovery
    Detect SaaS apps that employees are using in your company.
    Risky third-party integrations
    Risky third-party integrations
    Nudge employees to remove unused third-party integrations.
    Malicious mail rule detection
    Malicious mail rule detection
    A strong indicator of compromise. Detect and respond automatically.
    Automated MFA deployment
    Automated MFA deployment
    Use ChatOps to automatically nudge employees to enroll.
  • Pricing
  • Blog
  • About

What is Consent Phishing?

Consent phishing is a technique that tricks a user into granting a malicious third-party app access to their account. Since this technique preys on users that are already logged in, it is effective against users with strong passwords, multi-factor authentication, or even passwordless setups. 

To execute a consent phishing attack, an attacker first registers an OAuth 2.0 app with the target platform (e.g. Microsoft 365 or Google Workspace) - the requirements to do this vary platform-to-platform but they are often minimal. Users are then lured to grant the app access to their account using common phishing tactics, such as an invitation to edit an interesting sounding document. 

The user is then taken to a legitimate consent screen for the target platform (see examples below) detailing the access requested. If the user consents, the app is able to access their account as specified on the consent screen. The user is often then told something innocuous, like the invitation no longer exists, and they are unaware they have been compromised.

OAuth consent screens
Example consent screens for Google Workspace and Microsoft 365

You can read a detailed description and walkthrough of a consent phishing attack in our blog.

push logo
Product
  • Overview
  • Pricing
Use cases
  • SaaS discovery
  • Risky third-party integrations
  • Malicious mail rule detection
  • Automated MFA deployment
Push
  • Team
  • Investors
  • Contact
  • Careers
Assurance
  • Privacy policy
  • Cookie policy
  • Terms
  • Sub-processors
© Push 2022. All rights reserved.
cyber essentials logo
You're offline. Waiting to reconnect.