{"id":5745,"date":"2026-06-24T08:41:48","date_gmt":"2026-06-24T08:41:48","guid":{"rendered":"https:\/\/adex.com\/blog\/?p=5745"},"modified":"2026-06-24T09:29:52","modified_gmt":"2026-06-24T09:29:52","slug":"oauth-consent-phishing-without-password","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/","title":{"rendered":"OAuth Consent Phishing: How Attackers Get Access Without Stealing Your Password"},"content":{"rendered":"\n<p>Most phishing attacks need something from you: your password, your one-time code, your credit card number. OAuth consent phishing skips all of that. The attacker ends up with access to your account, and you never typed a single credential into a fake page. You just clicked \u2018Allow.\u2019<\/p>\n\n\n\n<p>This article explains how the attack works, why it bypasses standard defenses, and what you can actually do about it \u2013 especially if you manage advertising accounts where a single compromised login can burn through a client&#8217;s budget before anyone notices.<\/p>\n\n\n<div class=\"toc\"><h4 class=\"toc__title\" id=\"contents\">Contents<\/h4><ul class=\"toc__list\"><li class=\"toc__list_item\"><a href=\"#what-oauth-consent-phishing-actually-is\">What OAuth Consent Phishing Actually Is<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-anatomy-of-a-fake-connect-with-google-flow\">The Anatomy of a Fake &quot;Connect With Google&quot; Flow<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-mfa-doesnt-stop-it\">Why MFA Doesn&#039;t Stop It<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-ad-accounts-are-disproportionately-high-value-targets\">Why Ad Accounts Are Disproportionately High-Value Targets<\/a><\/li><li class=\"toc__list_item\"><a href=\"#consentfix-and-how-the-attack-has-evolved\">ConsentFix and How the Attack Has Evolved<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-blast-radius-when-a-token-gets-issued\">The Blast Radius When a Token Gets Issued<\/a><\/li><li class=\"toc__list_item\"><a href=\"#detection-signals-how-to-tell-if-it-already-happened\">Detection Signals: How to Tell If It Already Happened<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-to-defend-your-accounts-against-consent-phishing\">How to Defend Your Accounts Against Consent Phishing<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-a-credential-reset-wont-fix\">What a Credential Reset Won&#039;t Fix<\/a><\/li><li class=\"toc__list_item\"><a href=\"#faq\">FAQ<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-access-you-never-meant-to-give\">The Access You Never Meant to Give<\/a><\/li><\/ul><\/div><style>\n.toc {}\n.toc__title {\n      font-size: 32px;\n    line-height: 40px;\n    font-weight: 700;\n}\n.toc__list_item {\n    color: #FE645A !important;\n}\n.toc__list_item:not(:last-child){\n    margin-bottom: 5px;\n}\n.toc__list_item a {\n    font-size: 18px;\n    line-height: 24px;\n    color: #FE645A;\n    font-weight: 600;\n}\n.toc__list_item a:hover {\n    text-decoration: underline;\n}\n@media (max-width: 1023px) {.toc__title {font-size: 24px;line-height: 32px;}}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"key-takeaways\">Key Takeaways<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OAuth consent phishing doesn&#8217;t steal your password. It gets you to authorize a malicious app through a real Google, Microsoft, or Facebook screen.<\/li>\n\n\n\n<li>MFA doesn&#8217;t stop it. The login step is skipped entirely.<\/li>\n\n\n\n<li>Resetting your password after the fact doesn&#8217;t revoke access. The attacker holds a token, not a credential.<\/li>\n\n\n\n<li>Ad accounts are high-value targets because they carry active budgets and client data.<\/li>\n\n\n\n<li>The defense requires auditing which apps have permission to your accounts, not just securing your login.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-oauth-consent-phishing-actually-is\">What OAuth Consent Phishing Actually Is<\/h2>\n\n\n\n<p>When you click &#8220;Sign in with Google&#8221; on a third-party site, you are authorizing it to access specific parts of your Google account on your behalf \u2013 without giving your password. Google issues the site a token, which expires at some point, and you can revoke it from your Google account settings at any time. This is OAuth, the authorization standard that powers most &#8220;Connect with&#8230;&#8221; flows across the web.<\/p>\n\n\n\n<p>The attack exploits this mechanism.&nbsp;<\/p>\n\n\n\n<ul style=\"background-color:#d6d6d630\" class=\"wp-block-list has-background\">\n<li>An attacker registers a legitimate-looking app with Google, Microsoft, or another identity provider.<\/li>\n\n\n\n<li>The app requests access to useful things: your email, your calendar, your files, and your ad account.&nbsp;<\/li>\n\n\n\n<li>The attacker sends you a link that opens a real Google or Microsoft consent screen asking you to authorize this app.&nbsp;<\/li>\n\n\n\n<li>You approve it and Google issues the attacker&#8217;s app a valid access token.&nbsp;<\/li>\n\n\n\n<li>The attacker now has access to whatever you consented to, for as long as that token is valid.<\/li>\n<\/ul>\n\n\n\n<p>The consent screen you saw was genuine. The URL was google.com or <a href=\"http:\/\/login.microsoftonline.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">login.microsoftonline.com<\/a>, so there was nothing fake to spot.<\/p>\n\n\n\n<div class=\"adex-oauth-consent-block\" role=\"img\" aria-label=\"How OAuth consent phishing works across attacker, victim, and identity provider\">\n  <style>\n    .adex-oauth-consent-block,\n    .adex-oauth-consent-block * {\n      box-sizing: border-box;\n    }\n\n    .adex-oauth-consent-block {\n      width: 100%;\n      max-width: 980px;\n      margin: 28px 0;\n      padding: 32px 24px 36px;\n      background: #f7f9fc;\n      font-family: Inter, \"Segoe UI\", Arial, sans-serif;\n      color: #0b0f1c;\n      border-radius: 22px;\n    }\n\n    .adex-oauth-consent-block .aoc-header {\n      display: flex;\n      align-items: center;\n      gap: 10px;\n      margin-bottom: 30px;\n    }\n\n    .adex-oauth-consent-block .aoc-logo {\n      width: 26px;\n      height: 26px;\n      flex: 0 0 auto;\n    }\n\n    .adex-oauth-consent-block .aoc-title {\n      font-size: 17px;\n      line-height: 1.3;\n      font-weight: 700;\n      color: #0b0f1c;\n      letter-spacing: -0.01em;\n    }\n\n    .adex-oauth-consent-block .aoc-scroller {\n      width: 100%;\n      overflow: visible;\n    }\n\n    .adex-oauth-consent-block .aoc-grid {\n      display: grid;\n      grid-template-columns: minmax(0, 1fr) 28px minmax(0, 1fr) 28px minmax(0, 1fr);\n      width: 100%;\n      min-width: 0;\n      column-gap: 0;\n      row-gap: 0;\n      margin: 0 auto;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-head {\n      padding: 10px 10px;\n      border-radius: 8px 8px 0 0;\n      font-size: 10px;\n      line-height: 1.25;\n      font-weight: 700;\n      letter-spacing: 0.07em;\n      text-transform: uppercase;\n      text-align: center;\n      border-bottom: 2px solid transparent;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-head-red {\n      background: #fff0f2;\n      color: #e03355;\n      border-bottom-color: #ffbdca;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-head-blue {\n      background: #f5f7ff;\n      color: #3b5bdb;\n      border-bottom-color: #c5d0ff;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-head-teal {\n      background: #f0fffe;\n      color: #007a6e;\n      border-bottom-color: #00c9b8;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-bg {\n      background: #ffffff;\n      border-left: 1px solid #dde3ee;\n      border-right: 1px solid #dde3ee;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-bg-last {\n      border-bottom: 1px solid #dde3ee;\n      border-radius: 0 0 8px 8px;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-bg-red {\n      background: #fffbfc;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-bg-blue {\n      background: #fbfcff;\n    }\n\n    .adex-oauth-consent-block .aoc-lane-bg-teal {\n      background: #faffff;\n    }\n\n    .adex-oauth-consent-block .aoc-cell {\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      min-height: 54px;\n      padding: 10px 6px;\n      min-width: 0;\n    }\n\n    .adex-oauth-consent-block .aoc-gap-cell {\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      min-height: 54px;\n      min-width: 0;\n    }\n\n    .adex-oauth-consent-block .aoc-card {\n      width: 100%;\n      min-width: 0;\n      padding: 9px 9px;\n      border-radius: 8px;\n      border: 1px solid transparent;\n      text-align: center;\n    }\n\n    .adex-oauth-consent-block .aoc-card-red {\n      background: #fff0f2;\n      border-color: #ffbdca;\n    }\n\n    .adex-oauth-consent-block .aoc-card-blue {\n      background: #f5f7ff;\n      border-color: #c5d0ff;\n    }\n\n    .adex-oauth-consent-block .aoc-card-teal {\n      background: #f0fffe;\n      border-color: #b0ede8;\n    }\n\n    .adex-oauth-consent-block .aoc-card-teal-strong {\n      background: #e8fbf9;\n      border-color: #00c9b8;\n      box-shadow: 0 0 0 3px rgba(0, 201, 184, 0.12);\n    }\n\n    .adex-oauth-consent-block .aoc-card-red-strong {\n      background: #fff0f2;\n      border-color: #e03355;\n      box-shadow: 0 0 0 3px rgba(224, 51, 85, 0.08);\n    }\n\n    .adex-oauth-consent-block .aoc-card-num {\n      display: inline-flex;\n      align-items: center;\n      justify-content: center;\n      width: 17px;\n      height: 17px;\n      margin-bottom: 5px;\n      border-radius: 50%;\n      font-size: 9px;\n      line-height: 1;\n      font-weight: 800;\n    }\n\n    .adex-oauth-consent-block .aoc-card-num-red {\n      background: #ffbdca;\n      color: #c02040;\n    }\n\n    .adex-oauth-consent-block .aoc-card-num-blue {\n      background: #c5d0ff;\n      color: #3b5bdb;\n    }\n\n    .adex-oauth-consent-block .aoc-card-num-teal {\n      background: #a5ede8;\n      color: #007a6e;\n    }\n\n    .adex-oauth-consent-block .aoc-card-text {\n      font-size: 11px;\n      line-height: 1.3;\n      font-weight: 600;\n      color: #0b0f1c;\n      overflow-wrap: anywhere;\n    }\n\n    .adex-oauth-consent-block .aoc-card-sub {\n      margin-top: 3px;\n      font-size: 10px;\n      line-height: 1.3;\n      color: #8896b3;\n      overflow-wrap: anywhere;\n    }\n\n    .adex-oauth-consent-block .aoc-badge {\n      display: inline-block;\n      max-width: 100%;\n      margin-top: 7px;\n      padding: 2px 7px;\n      border-radius: 20px;\n      font-size: 9px;\n      line-height: 1.4;\n      font-weight: 600;\n      letter-spacing: 0.02em;\n      overflow-wrap: anywhere;\n    }\n\n    .adex-oauth-consent-block .aoc-badge-teal {\n      background: rgba(0, 201, 184, 0.15);\n      color: #007a6e;\n    }\n\n    .adex-oauth-consent-block .aoc-badge-red {\n      background: rgba(224, 51, 85, 0.1);\n      color: #c02040;\n    }\n\n    .adex-oauth-consent-block .aoc-arrow {\n      width: 24px;\n      height: 18px;\n    }\n\n    .adex-oauth-consent-block .aoc-arrow-muted path {\n      stroke: #dde3ee;\n    }\n\n    .adex-oauth-consent-block .aoc-arrow-red path {\n      stroke: #ffbdca;\n    }\n\n    .adex-oauth-consent-block .aoc-arrow-blue path {\n      stroke: #c5d0ff;\n    }\n\n    .adex-oauth-consent-block .aoc-arrow-teal path {\n      stroke: #a5ede8;\n    }\n\n    .adex-oauth-consent-block .aoc-legend {\n      display: flex;\n      flex-wrap: wrap;\n      align-items: center;\n      gap: 18px;\n      width: 100%;\n      margin: 24px auto 0;\n      padding-top: 16px;\n      border-top: 1px solid #dde3ee;\n    }\n\n    .adex-oauth-consent-block .aoc-legend-item {\n      display: flex;\n      align-items: center;\n      gap: 6px;\n      font-size: 11px;\n      line-height: 1.3;\n      color: #8896b3;\n    }\n\n    .adex-oauth-consent-block .aoc-dot {\n      width: 8px;\n      height: 8px;\n      border-radius: 50%;\n      flex: 0 0 auto;\n    }\n\n    .adex-oauth-consent-block .aoc-dot-red {\n      background: #e03355;\n    }\n\n    .adex-oauth-consent-block .aoc-dot-blue {\n      background: #3b5bdb;\n    }\n\n    .adex-oauth-consent-block .aoc-dot-teal {\n      background: #00c9b8;\n    }\n\n    .adex-oauth-consent-block .aoc-brand-tag {\n      margin-left: auto;\n      font-size: 10px;\n      line-height: 1.3;\n      letter-spacing: 0.05em;\n      color: #c5cdd9;\n      text-transform: lowercase;\n    }\n\n    @media (max-width: 760px) {\n      .adex-oauth-consent-block {\n        padding: 28px 18px 32px;\n        border-radius: 18px;\n      }\n\n      .adex-oauth-consent-block .aoc-header {\n        margin-bottom: 24px;\n      }\n\n      .adex-oauth-consent-block .aoc-title {\n        font-size: 16px;\n      }\n\n      .adex-oauth-consent-block .aoc-grid {\n        grid-template-columns: minmax(0, 1fr) 22px minmax(0, 1fr) 22px minmax(0, 1fr);\n      }\n\n      .adex-oauth-consent-block .aoc-cell {\n        padding: 8px 5px;\n      }\n\n      .adex-oauth-consent-block .aoc-card {\n        padding: 8px 7px;\n      }\n\n      .adex-oauth-consent-block .aoc-card-text {\n        font-size: 10px;\n      }\n\n      .adex-oauth-consent-block .aoc-card-sub {\n        font-size: 9px;\n      }\n\n      .adex-oauth-consent-block .aoc-badge {\n        font-size: 8px;\n        padding: 2px 6px;\n      }\n\n      .adex-oauth-consent-block .aoc-arrow {\n        width: 20px;\n      }\n    }\n\n    @media (max-width: 520px) {\n      .adex-oauth-consent-block {\n        padding: 24px 14px 28px;\n      }\n\n      .adex-oauth-consent-block .aoc-grid {\n        grid-template-columns: minmax(0, 1fr);\n        gap: 8px;\n      }\n\n      .adex-oauth-consent-block .aoc-lane-head,\n      .adex-oauth-consent-block .aoc-gap-cell,\n      .adex-oauth-consent-block .aoc-cell:empty {\n        display: none;\n      }\n\n      .adex-oauth-consent-block .aoc-cell {\n        min-height: 0;\n        padding: 0;\n        border: 0;\n        background: transparent;\n      }\n\n      .adex-oauth-consent-block .aoc-lane-bg-last {\n        border-radius: 0;\n      }\n\n      .adex-oauth-consent-block .aoc-card {\n        padding: 11px 12px;\n      }\n\n      .adex-oauth-consent-block .aoc-card-text {\n        font-size: 12px;\n      }\n\n      .adex-oauth-consent-block .aoc-card-sub {\n        font-size: 10px;\n      }\n\n      .adex-oauth-consent-block .aoc-badge {\n        font-size: 9px;\n      }\n\n      .adex-oauth-consent-block .aoc-brand-tag {\n        width: 100%;\n        margin-left: 0;\n      }\n    }\n  <\/style>\n\n  <div class=\"aoc-header\">\n    <svg class=\"aoc-logo\" viewBox=\"0 0 34 40\" fill=\"none\" aria-hidden=\"true\">\n      <path d=\"M5.31 32.14L17.23 39l11.92-6.87L17.23 20 5.31 32.14ZM4.57 28.5l10.36-10.84-2.77-2.84L4.57 28.5ZM19.55 17.62l10.33 10.88-5.91-10.47 2.47-2.51 7.15 14.04.85-.5V9.19l-4.23-2.45L19.55 17.62ZM15.93 0L0 9.19V29.06l.85.5 10.44-19.48 5.96 6.15 3.32-3.47L17.23 5.48l-1.65 3.01-2.62-2.69L15.93 0ZM18.53 0l4.64 9.08 3.97-4.12L18.53 0Z\" fill=\"#00C9B8\"><\/path>\n    <\/svg>\n\n    <div class=\"aoc-title\">How OAuth Consent Phishing Works<\/div>\n  <\/div>\n\n  <div class=\"aoc-scroller\">\n    <div class=\"aoc-grid\">\n      <div class=\"aoc-lane-head aoc-lane-head-red\">Attacker<\/div>\n      <div><\/div>\n      <div class=\"aoc-lane-head aoc-lane-head-blue\">Victim<\/div>\n      <div><\/div>\n      <div class=\"aoc-lane-head aoc-lane-head-teal\">Identity Provider<\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-red\">\n        <div class=\"aoc-card aoc-card-red\">\n          <div class=\"aoc-card-num aoc-card-num-red\">1<\/div>\n          <div class=\"aoc-card-text\">Registers malicious app<\/div>\n          <div class=\"aoc-card-sub\">requests access to email, files, ad accounts<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-gap-cell\">\n        <svg class=\"aoc-arrow aoc-arrow-muted\" viewBox=\"0 0 36 20\" fill=\"none\" aria-hidden=\"true\">\n          <path d=\"M4 10h28M26 5l6 5-6 5\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n        <\/svg>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-blue\"><\/div>\n\n      <div class=\"aoc-gap-cell\">\n        <svg class=\"aoc-arrow aoc-arrow-muted\" viewBox=\"0 0 36 20\" fill=\"none\" aria-hidden=\"true\">\n          <path d=\"M4 10h28M26 5l6 5-6 5\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n        <\/svg>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-teal\">\n        <div class=\"aoc-card aoc-card-teal\">\n          <div class=\"aoc-card-text\">Approves app registration<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-red\">\n        <div class=\"aoc-card aoc-card-red\">\n          <div class=\"aoc-card-num aoc-card-num-red\">2<\/div>\n          <div class=\"aoc-card-text\">Sends phishing lure<\/div>\n          <div class=\"aoc-card-sub\">&#8220;Reconnect your integration&#8221;<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-gap-cell\">\n        <svg class=\"aoc-arrow aoc-arrow-red\" viewBox=\"0 0 36 20\" fill=\"none\" aria-hidden=\"true\">\n          <path d=\"M4 10h28M26 5l6 5-6 5\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n        <\/svg>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-blue\">\n        <div class=\"aoc-card aoc-card-blue\">\n          <div class=\"aoc-card-text\">Receives the lure<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-gap-cell\"><\/div>\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-teal\"><\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-red\"><\/div>\n      <div class=\"aoc-gap-cell\"><\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-blue\">\n        <div class=\"aoc-card aoc-card-teal-strong\">\n          <div class=\"aoc-card-num aoc-card-num-teal\">3<\/div>\n          <div class=\"aoc-card-text\">Sees real consent screen<\/div>\n          <div class=\"aoc-badge aoc-badge-teal\">This is the real Google UI<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-gap-cell\">\n        <svg class=\"aoc-arrow aoc-arrow-teal\" viewBox=\"0 0 36 20\" fill=\"none\" aria-hidden=\"true\">\n          <path d=\"M32 10H4M10 5l-6 5 6 5\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n        <\/svg>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-teal\">\n        <div class=\"aoc-card aoc-card-teal\">\n          <div class=\"aoc-card-text\">Serves legitimate OAuth screen<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-red\"><\/div>\n      <div class=\"aoc-gap-cell\"><\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-blue\">\n        <div class=\"aoc-card aoc-card-blue\">\n          <div class=\"aoc-card-num aoc-card-num-blue\">4<\/div>\n          <div class=\"aoc-card-text\">Clicks &#8220;Allow&#8221;<\/div>\n          <div class=\"aoc-card-sub\">No password. One click.<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-gap-cell\">\n        <svg class=\"aoc-arrow aoc-arrow-blue\" viewBox=\"0 0 36 20\" fill=\"none\" aria-hidden=\"true\">\n          <path d=\"M4 10h28M26 5l6 5-6 5\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n        <\/svg>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-teal\">\n        <div class=\"aoc-card aoc-card-teal\">\n          <div class=\"aoc-card-text\">Receives authorization grant<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-red aoc-lane-bg-last\">\n        <div class=\"aoc-card aoc-card-red-strong\">\n          <div class=\"aoc-card-num aoc-card-num-red\">5<\/div>\n          <div class=\"aoc-card-text\">Gets valid access token<\/div>\n          <div class=\"aoc-badge aoc-badge-red\">Persists after password reset<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"aoc-gap-cell\">\n        <svg class=\"aoc-arrow aoc-arrow-teal\" viewBox=\"0 0 36 20\" fill=\"none\" aria-hidden=\"true\">\n          <path d=\"M32 10H4M10 5l-6 5 6 5\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/path>\n        <\/svg>\n      <\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-blue aoc-lane-bg-last\"><\/div>\n      <div class=\"aoc-gap-cell\"><\/div>\n\n      <div class=\"aoc-cell aoc-lane-bg aoc-lane-bg-teal aoc-lane-bg-last\">\n        <div class=\"aoc-card aoc-card-teal\">\n          <div class=\"aoc-card-text\">Issues token to attacker&#8217;s app<\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n\n  <div class=\"aoc-legend\">\n    <div class=\"aoc-legend-item\">\n      <span class=\"aoc-dot aoc-dot-red\"><\/span>\n      <span>Attacker<\/span>\n    <\/div>\n\n    <div class=\"aoc-legend-item\">\n      <span class=\"aoc-dot aoc-dot-blue\"><\/span>\n      <span>Victim<\/span>\n    <\/div>\n\n    <div class=\"aoc-legend-item\">\n      <span class=\"aoc-dot aoc-dot-teal\"><\/span>\n      <span>Identity Provider<\/span>\n    <\/div>\n\n    <div class=\"aoc-brand-tag\">adex.com<\/div>\n  <\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-anatomy-of-a-fake-connect-with-google-flow\">The Anatomy of a Fake &#8220;Connect With Google&#8221; Flow<\/h2>\n\n\n\n<p>The attack typically starts with a convincing lure. It might arrive as an email claiming a tool you already use needs to reconnect its integration, a message saying your account needs verification through a partner service, or an invitation to a shared workspace that requires authorization. The framing varies, but the goal is always the same: get you to a consent screen and click &#8220;Allow.&#8221;<\/p>\n\n\n\n<p>Adex flagged a structurally similar mechanism in Telegram campaigns last year: attackers disguised a credential-collection step as a routine phone number confirmation, and most victims had no reason to suspect anything unusual at the point they were being exploited.&nbsp;<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/phishing-alert-telegram-fraud\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/07\/Adex-Telegram-fraud-account-hijacking.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/07\/Adex-Telegram-fraud-account-hijacking.png\" sizes=\"100vw\" alt=\"Adex-Telegram-fraud-account-hijacking\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"phishing-scam-alert-telegram-fraud-and-account-hijacking-prevented\"><a href=\"https:\/\/adex.com\/blog\/phishing-alert-telegram-fraud\/\">[Phishing Scam Alert] Telegram Fraud and Account Hijacking Prevented<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<p>The pattern is consistent across these attacks. The moment of compromise looks like a normal step in a normal process.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-mfa-doesnt-stop-it\">Why MFA Doesn&#8217;t Stop It<\/h2>\n\n\n\n<p>Multi-factor authentication works by adding a second verification step to the login process. If an attacker has your password, they still need your phone. That&#8217;s the model, and it works well against password-based attacks.<\/p>\n\n\n\n<p>OAuth consent phishing sidesteps the login process entirely. The attacker&#8217;s app never tries to log in as you. It requests access through you, while you are already logged in. Your MFA status is irrelevant because your credentials are never in play.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>This is the part that catches most teams off guard. The security awareness training says: enable MFA, and you&#8217;re protected against phishing. That is true for credential phishing. For consent phishing, the protection model is different, and most organizations haven&#8217;t caught up to that yet.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>In many OAuth-based phishing attacks, the attacker&#8217;s goal is not to steal a password but to obtain an access token by convincing a user to grant permissions to a malicious application. As the <a href=\"https:\/\/adex.com\/blog\/human-factor-cybersecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\">Adex analysis of the human factor in cybersecurity<\/a> notes, technology alone is not enough to stop social engineering attacks, which often rely on manipulating human judgment.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-ad-accounts-are-disproportionately-high-value-targets\">Why Ad Accounts Are Disproportionately High-Value Targets<\/h2>\n\n\n\n<p>A compromised Google Ads or Meta account gives an attacker something valuable immediately: an active billing instrument tied to real budgets. The attacker can run their own campaigns on your credit, drive traffic to their own offers, or sell the access to someone else. The harm is direct and fast.<\/p>\n\n\n\n<p>Agencies and media buyers often have access to multiple client accounts under a single login or through management accounts. One successful consent grant can expose the entire portfolio. Unlike a breach that leaks a database of hashed passwords, this attack delivers a working session that the attacker can use right now.<\/p>\n\n\n\n<p>The ad industry also runs on integrations. Reporting tools, analytics platforms, audience management software, automation layers: each of these typically requests OAuth access to your ad accounts when you connect them. That means most accounts in active use already have a list of authorized apps. Adding one more doesn&#8217;t look suspicious from the outside.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" sizes=\"100vw\" alt=\"adex-investigation-triada-infected-campaigns\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"inside-the-triada-battle-a-five-year-investigation-and-the-security-upgrades-it-triggered\"><a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\">Inside the Triada Battle: A Five-Year Investigation and the Security Upgrades It Triggered<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"consentfix-and-how-the-attack-has-evolved\">ConsentFix and How the Attack Has Evolved<\/h2>\n\n\n\n<p>The attack is getting easier to execute and harder to catch. In December 2025, Push Security documented <a href=\"https:\/\/pushsecurity.com\/blog\/consentfix\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ConsentFix<\/a>, a variant that combines OAuth consent phishing with a ClickFix-style browser prompt. The victim is instructed to paste a URL directly into their browser&#8217;s address bar, which initiates the OAuth authorization flow. The technique bypasses many email security filters because there&#8217;s no malicious link in the email itself.<\/p>\n\n\n\n<p>The same year, Proofpoint documented <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/access-granted-phishing-device-code-authorization-account-takeover\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">multiple device-code phishing campaigns<\/a> targeting Microsoft 365 accounts at scale. The device-code flow is a legitimate OAuth feature designed for devices that can&#8217;t open a browser. Attackers weaponized it to generate authorization codes that victims unknowingly approve. One campaign affected over 900 tenants and 3,000 user accounts; another created 17,000 malicious apps and sent over 927,000 messages as part of the same infrastructure push.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Automated toolkits now handle most of the infrastructure work. An attacker doesn&#8217;t need to understand OAuth to run one of these campaigns. They need a kit, a target list, and a convincing pretext. That accessibility is part of why incident volume has been rising through 2025 and 2026.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-blast-radius-when-a-token-gets-issued\">The Blast Radius When a Token Gets Issued<\/h2>\n\n\n\n<p>The scope of what an attacker can do depends on what permissions you granted. Most consent phishing attempts request broad access because users are unlikely to read the permission list carefully before clicking Allow.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Dimension<\/strong><\/th><th><strong>Traditional Credential Phishing<\/strong><\/th><th><strong>OAuth Consent Phishing<\/strong><\/th><\/tr><\/thead><tbody><tr><td>What is obtained<\/td><td>Password + MFA code<\/td><td>Nothing stolen &#8211; a permission is granted<\/td><\/tr><tr><td>MFA stops it<\/td><td>Yes<\/td><td>No<\/td><\/tr><tr><td>Password reset fixes it<\/td><td>Yes<\/td><td>No &#8211; token persists independently<\/td><\/tr><tr><td>Visible login anomaly<\/td><td>Often (unfamiliar device or location)<\/td><td>Often not &#8211; attacker uses token API calls, not interactive login<\/td><\/tr><tr><td>Detection method<\/td><td>Login logs<\/td><td>Connected app audit<\/td><\/tr><tr><td>Remediation<\/td><td>Change password, revoke sessions<\/td><td>Revoke app access, audit all connected apps<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>With access to your Google Ads account, an attacker can create and run campaigns, modify existing ones, adjust budgets, add new payment methods, and export audience data. With access to your email, they can monitor correspondence, intercept verification codes, and impersonate you to partners. <a href=\"https:\/\/thehackernews.com\/2026\/05\/the-new-phishing-click-how-oauth.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">The Hacker News reported in May 2026<\/a> on a breach involving OAuth token abuse that spread across 700+ Salesforce tenants through legitimately approved connections.<\/p>\n\n\n\n<p>The access can persist for weeks or months if the token isn&#8217;t revoked and the app isn&#8217;t audited out. Many tokens are issued with long lifetimes or refresh automatically. The attacker doesn&#8217;t need to stay active to maintain access.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"detection-signals-how-to-tell-if-it-already-happened\">Detection Signals: How to Tell If It Already Happened<\/h2>\n\n\n\n<p>Many organizations find out late, because the attack leaves different footprints than a credential breach. There are no failed login attempts or unfamiliar IPs trying to authenticate. The attacker&#8217;s calls come through a token that your identity provider recognizes as legitimate.<\/p>\n\n\n\n<p>What you can actually check:<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#d6d6d630\"><strong>Go to your Google account&#8217;s connected apps at <\/strong><a href=\"http:\/\/myaccount.google.com\/permissions\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>myaccount.google.com\/permissions<\/strong><\/a><strong>.&nbsp; Look for anything you don&#8217;t recognize or don&#8217;t remember authorizing. Check when it was connected and what permissions it has. Do the same in Microsoft&#8217;s My Apps at myapps.microsoft.com, and in Meta&#8217;s Business Integrations settings if you run Facebook campaigns.<\/strong><\/p>\n\n\n\n<p>For Microsoft 365, Microsoft provides guidance on <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-office-365\/detect-and-remediate-illicit-consent-grants\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">detecting and remediating illicit consent grants<\/a> through the audit log in the Microsoft Defender portal. The relevant activity to search is &#8220;Consent to application.&#8221; If IsAdminConsent shows as True for an app you don&#8217;t recognize, investigate further.<\/p>\n\n\n\n<p>Review apps that have &#8220;read and write&#8221; or &#8220;all&#8221; permissions to your email or ad accounts. Those are the ones worth scrutinizing first.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-defend-your-accounts-against-consent-phishing\">How to Defend Your Accounts Against Consent Phishing<\/h2>\n\n\n\n<p>Securing the login is necessary, and it&#8217;s also not the full picture. You also need to manage what&#8217;s authorized for your accounts after the login.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Slow down at OAuth consent screens.<\/strong> Before you click Allow, read what the app is requesting access to. &#8220;Read your email and manage your calendar&#8221; for a tool that&#8217;s supposed to show you ad reports is a warning sign. Legitimate integrations request only what they need.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit connected apps on a schedule.<\/strong> Once a quarter, go through the authorized apps on your Google, Microsoft, and Meta accounts. Revoke anything you don&#8217;t actively use. This is especially important for accounts that have been through agency handoffs, team changes, or tool migrations, where old authorizations accumulate.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use admin consent policies where available.<\/strong> Microsoft Entra ID lets administrators configure managed consent policies that restrict which apps users can authorize. Starting July 2025, Microsoft began enabling this by default, requiring admin approval for third-party apps accessing files and sites. If you&#8217;re managing an organization&#8217;s Microsoft environment, verifying this policy is active is a concrete step.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Be specific about permission scope when you connect tools.<\/strong> Some platforms let you choose what access level to grant during the OAuth flow. Choose the narrowest scope that lets the integration work.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Train the team on what a consent screen actually is.<\/strong> Most people understand &#8220;don&#8217;t enter your password on a fake site.&#8221; Fewer understand that clicking Allow on a real site can still hand over access. The difference matters, and it&#8217;s worth five minutes in a team meeting.<\/li>\n<\/ul>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/ad-injection-attacks-architecture-prevention\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Ad-Injection-Attacks-Flow.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Ad-Injection-Attacks-Flow.png\" sizes=\"100vw\" alt=\"Adex - visual showing how ad injection attacks reach the impression through client-side browser manipulation.\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/guides\/\" class=\"block__preview_box-cat\">Guides<\/a>        <h3 class=\"block__preview_box-title\" id=\"ad-injection-attacks-how-they-work-how-to-detect-them-and-how-to-defend-against-them\"><a href=\"https:\/\/adex.com\/blog\/ad-injection-attacks-architecture-prevention\/\">Ad Injection Attacks: How They Work, How to Detect Them, and How to Defend Against Them<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-a-credential-reset-wont-fix\">What a Credential Reset Won&#8217;t Fix<\/h2>\n\n\n\n<p>If your account gets compromised through a consent grant, resetting your password removes the attacker&#8217;s ability to log in with your credentials. It does nothing about the token. The attacker&#8217;s app still has whatever access you granted, because the token was issued by the identity provider directly and exists independently of your password.<\/p>\n\n\n\n<p>This is the operational detail that incident response scripts often miss. The correct remediation is to find and revoke the app&#8217;s access, then audit whether any actions were taken during the access window: campaigns modified, budgets adjusted, data exported, and new users added.<\/p>\n\n\n\n<p>Password rotation is still worth doing as a parallel step. But if it&#8217;s the only step, the access gap stays open.<\/p>\n\n\n\n<p>The same limit applies to MFA resets, session revocations, and device trust changes. None of those touch the token. The app access has to be revoked directly.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>From a security operations standpoint, this is one of the most common gaps noticed after an account compromise is reported: the team resets credentials, confirms no unfamiliar logins, closes the ticket, and considers it resolved. The app that was authorized during the attack is still there, but just isn&#8217;t making noise yet.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"faq\">FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-is-an-oauth-consent-screen\">What is an OAuth consent screen?<\/h3>\n\n\n\n<p>It&#8217;s the page a real identity provider (Google, Microsoft, Meta) shows you when an app requests permission to access your account. It lists what the app wants to access and asks you to approve or deny. The screen itself is genuine: the URL belongs to the identity provider, the design is official. The malicious element is the app on the other side of the authorization, not the screen you&#8217;re looking at.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-is-this-different-from-a-regular-phishing-page\">How is this different from a regular phishing page?<\/h3>\n\n\n\n<p>A regular phishing page is a fake that copies the look of a login screen to steal your credentials. OAuth consent phishing uses the real login infrastructure. You&#8217;re interacting with Google or Microsoft directly. The risk is in what you&#8217;re consenting to, not in where you&#8217;re typing.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"can-two-factor-authentication-protect-me\">Can two-factor authentication protect me?<\/h3>\n\n\n\n<p>Against credential theft, yes. Against consent phishing, no. The attack doesn&#8217;t need your password or your second factor. It only needs you to click Allow on the consent screen. MFA secures the login step; consent phishing bypasses the login step entirely.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-do-i-revoke-a-suspicious-apps-access\">How do I revoke a suspicious app&#8217;s access?<\/h3>\n\n\n\n<p>For Google: go to myaccount.google.com\/permissions, find the app, and click &#8220;Remove Access.&#8221; For Microsoft: go to myapps.microsoft.com or use the Microsoft Entra admin center. For Meta: go to Settings, then Security and Login, then Apps and Websites. Revoking access removes the token and ends the app&#8217;s ability to make calls on your behalf.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"why-would-an-attacker-want-access-to-an-ad-account-specifically\">Why would an attacker want access to an ad account specifically?<\/h3>\n\n\n\n<p>Ad accounts have active billing instruments and often manage significant budgets. An attacker can run their own campaigns at your expense, redirect traffic, or resell the access. Accounts connected to agency management structures are particularly attractive because one authorized connection can reach multiple client accounts.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-access-you-never-meant-to-give\">The Access You Never Meant to Give<\/h2>\n\n\n\n<p>OAuth consent phishing works because the attack fits inside a normal-looking step. The consent screen is real. The identity provider is legitimate. The only thing that went wrong is that you authorized an app you shouldn&#8217;t have, at a moment when you had no reason to look twice.<\/p>\n\n\n\n<p>Protecting against it requires a habit that most security awareness programs haven&#8217;t caught up to yet: treating the authorized apps list the same way you treat your login credentials. Something worth reviewing, worth pruning, and worth checking after anything unusual. The access that lingers after the fact is the actual risk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What if the risky click is not on a fake login page, but on a real \u201cAllow\u201d button? This article explains OAuth consent phishing and shows how to spot risky app permissions before attackers gain access.<\/p>\n","protected":false},"author":8,"featured_media":5803,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[18,16],"class_list":["post-5745","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-current_risks","tag-fraud","tag-threat"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OAuth Consent Phishing: How Attackers Get Access<\/title>\n<meta name=\"description\" content=\"OAuth consent phishing gives attackers account access without passwords. Learn how malicious app permissions work and how to revoke them.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OAuth Consent Phishing: How Attackers Get Access\" \/>\n<meta property=\"og:description\" content=\"OAuth consent phishing gives attackers account access without passwords. Learn how malicious app permissions work and how to revoke them.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/\" \/>\n<meta property=\"og:site_name\" content=\"ADEX\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/adexsaas\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-24T08:41:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-24T09:29:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-oauth-consent-phising.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Olya Mikheeva\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:site\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Olya Mikheeva\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/\"},\"author\":{\"name\":\"Olya Mikheeva\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/c5794aef7aa28987e7019a804390ee3a\"},\"headline\":\"OAuth Consent Phishing: How Attackers Get Access Without Stealing Your Password\",\"datePublished\":\"2026-06-24T08:41:48+00:00\",\"dateModified\":\"2026-06-24T09:29:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/\"},\"wordCount\":2275,\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-oauth-consent-phising.png\",\"keywords\":[\"Fraud\",\"Threat\"],\"articleSection\":[\"Current risks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/\",\"name\":\"OAuth Consent Phishing: How Attackers Get Access\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-oauth-consent-phising.png\",\"datePublished\":\"2026-06-24T08:41:48+00:00\",\"dateModified\":\"2026-06-24T09:29:52+00:00\",\"description\":\"OAuth consent phishing gives attackers account access without passwords. Learn how malicious app permissions work and how to revoke them.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/#primaryimage\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-oauth-consent-phising.png\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-oauth-consent-phising.png\",\"width\":1200,\"height\":628,\"caption\":\"What if the risky click is not on a fake login page, but on a real \u201cAllow\u201d button? This article explains OAuth consent phishing\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/oauth-consent-phishing-without-password\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/adex.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OAuth Consent Phishing: How Attackers Get Access Without Stealing Your Password\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"alternateName\":\"ADEX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/adex.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"width\":148,\"height\":30,\"caption\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/adexsaas\\\/\",\"https:\\\/\\\/x.com\\\/adexsaas\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/c5794aef7aa28987e7019a804390ee3a\",\"name\":\"Olya Mikheeva\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7e1ca40f4b08b576bd7c51e8946605febbcaa99bf482f69ead517b1cd512de42?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7e1ca40f4b08b576bd7c51e8946605febbcaa99bf482f69ead517b1cd512de42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7e1ca40f4b08b576bd7c51e8946605febbcaa99bf482f69ead517b1cd512de42?s=96&d=mm&r=g\",\"caption\":\"Olya Mikheeva\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OAuth Consent Phishing: How Attackers Get Access","description":"OAuth consent phishing gives attackers account access without passwords. Learn how malicious app permissions work and how to revoke them.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/","og_locale":"en_US","og_type":"article","og_title":"OAuth Consent Phishing: How Attackers Get Access","og_description":"OAuth consent phishing gives attackers account access without passwords. Learn how malicious app permissions work and how to revoke them.","og_url":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/","og_site_name":"ADEX","article_publisher":"https:\/\/www.facebook.com\/adexsaas\/","article_published_time":"2026-06-24T08:41:48+00:00","article_modified_time":"2026-06-24T09:29:52+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-oauth-consent-phising.png","type":"image\/png"}],"author":"Olya Mikheeva","twitter_card":"summary_large_image","twitter_creator":"@adexsaas","twitter_site":"@adexsaas","twitter_misc":{"Written by":"Olya Mikheeva","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/#article","isPartOf":{"@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/"},"author":{"name":"Olya Mikheeva","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/c5794aef7aa28987e7019a804390ee3a"},"headline":"OAuth Consent Phishing: How Attackers Get Access Without Stealing Your Password","datePublished":"2026-06-24T08:41:48+00:00","dateModified":"2026-06-24T09:29:52+00:00","mainEntityOfPage":{"@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/"},"wordCount":2275,"publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"image":{"@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-oauth-consent-phising.png","keywords":["Fraud","Threat"],"articleSection":["Current risks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/","url":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/","name":"OAuth Consent Phishing: How Attackers Get Access","isPartOf":{"@id":"https:\/\/adex.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/#primaryimage"},"image":{"@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-oauth-consent-phising.png","datePublished":"2026-06-24T08:41:48+00:00","dateModified":"2026-06-24T09:29:52+00:00","description":"OAuth consent phishing gives attackers account access without passwords. Learn how malicious app permissions work and how to revoke them.","breadcrumb":{"@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/#primaryimage","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-oauth-consent-phising.png","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-oauth-consent-phising.png","width":1200,"height":628,"caption":"What if the risky click is not on a fake login page, but on a real \u201cAllow\u201d button? This article explains OAuth consent phishing"},{"@type":"BreadcrumbList","@id":"https:\/\/adex.com\/blog\/oauth-consent-phishing-without-password\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/adex.com\/blog\/"},{"@type":"ListItem","position":2,"name":"OAuth Consent Phishing: How Attackers Get Access Without Stealing Your Password"}]},{"@type":"WebSite","@id":"https:\/\/adex.com\/blog\/#website","url":"https:\/\/adex.com\/blog\/","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","description":"","publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"alternateName":"ADEX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/adex.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/adex.com\/blog\/#organization","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","url":"https:\/\/adex.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","width":148,"height":30,"caption":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform"},"image":{"@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/adexsaas\/","https:\/\/x.com\/adexsaas"]},{"@type":"Person","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/c5794aef7aa28987e7019a804390ee3a","name":"Olya Mikheeva","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/7e1ca40f4b08b576bd7c51e8946605febbcaa99bf482f69ead517b1cd512de42?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7e1ca40f4b08b576bd7c51e8946605febbcaa99bf482f69ead517b1cd512de42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7e1ca40f4b08b576bd7c51e8946605febbcaa99bf482f69ead517b1cd512de42?s=96&d=mm&r=g","caption":"Olya Mikheeva"}}]}},"_links":{"self":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/comments?post=5745"}],"version-history":[{"count":6,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5745\/revisions"}],"predecessor-version":[{"id":5816,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5745\/revisions\/5816"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media\/5803"}],"wp:attachment":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media?parent=5745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/categories?post=5745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/tags?post=5745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}