Consent phishing hands attackers your mailbox without ever stealing a password, and multi-factor authentication does nothing to stop it. How the attack works in Microsoft 365 and Google Workspace, and the settings that close the door.
A founder I spoke with last year had done the hard part. Every account on Microsoft 365 had multi-factor authentication turned on, the staff had sat through the training, and the filters were catching the obvious junk. Then a junior account manager got an email that looked like a shared report from a partner firm. She clicked it, a normal Microsoft sign-in page appeared, she approved the prompt on her phone the way she does ten times a day, and a screen asked whether she would let an app called "Secure Doc Viewer" access her mailbox and files. She clicked Accept. Nothing broke. No password changed hands. And for the next three weeks a stranger could read every message in her inbox without once logging in as her. That last part is what most people miss when they think they have email locked down. We tend to picture account takeover as someone guessing or phishing a password and then logging in. Consent phishing skips the login entirely. The attacker never wants the password, because the password is the thing your MFA actually protects. What they want is permission, and permission is something your own staff can hand out in two clicks. The login already happened Underneath Microsoft 365 and Google Workspace sits a standard called OAuth. It is the same plumbing that lets a scheduling tool read your calendar or a CRM pull your contacts, and most of the time it is genuinely useful. When an app wants access, it asks for specific permissions, called scopes: read your mail, send mail as you, see your files, read your contacts. You approve once, and from then on the app talks to your mailbox using a token rather than your password. The token is the whole game. Because the app authenticates with