Microsoft 365 OAuth Consent Defense
OAuth consent phishing against Microsoft 365 — what happens when no password is stolen
The attacker registers an app in their own tenant, tricks a user into clicking Accept, and gets Microsoft-signed …
Microsoft 365 OAuth Consent Defense
Five Sentinel detections for OAuth consent attacks (with the KQL inline)
Suspicious consent grant, mass campaign, anomalous SP sign-in, post-consent credential addition, and Graph API mass read. Plus a …
Microsoft 365 OAuth Consent Defense
Why Conditional Access will not stop OAuth consent attacks (and what will)
CA gates sign-in. Consent happens after sign-in. Real prevention lives in three Entra ID consent-framework settings most established …
Microsoft 365 OAuth Consent Defense
Containing an OAuth consent compromise — the four moves you have to make in order
Revoke grants. Disable the SP. Revoke refresh tokens. Tenant-block the AppId. Order matters and most SOCs do it …