Admin-Consent Phishing: The OAuth Grant Your Tenant Never Audited

Open Admin → Integrated applications in Microsoft 365 or Google Workspace. Count the apps you've never heard of. That's the attack surface growing 3.4x year-over-year per Microsoft's March 2026 Digital Defense addendum, and it bypasses every multi-factor mitigation you have in place.

What "admin-consent phishing" actually is

A legitimate-looking OAuth app grant request arrives in the inbox of an IT admin. The sender is spoofed or compromised. The app name reads plausibly — "Office365 Compliance Auditor," "GSuite Mail Archiver," "Security Review Tool." The linked consent page is hosted on Microsoft or Google's real domain, the branding is pixel-perfect, and the permissions requested are worded to sound auditable rather than invasive.

One click later, the attacker has a refresh token with tenant-wide scope that survives password rotation and multi-factor reset. No credential was ever stolen. The admin voluntarily granted a tenant-level authorization to a third-party application that the attacker registered on their own tenant the day before.

Why password rotation doesn't fix it

Refresh tokens are independent of the underlying user credentials. The attacker isn't using a password — they're using an issued API key that your IAM provider voluntarily granted on behalf of the entire tenant. Rotating the admin's password doesn't revoke the grant. Resetting multi-factor doesn't revoke the grant. Disabling the user account doesn't revoke the grant, because the grant is scoped to the application, not the user who consented to it.

Revocation requires an administrator to explicitly walk into the tenant admin console, locate the consented application, and click "Revoke permissions." That means the admin has to know the grant exists. Which means they have to have looked.

The 180-app problem

In a sample of 24 Series B-to-C-stage technology companies CelvexGroup reviewed in 2025, the median tenant had 178 consented applications — and only 14% of admins could name more than 30 of them. You can't revoke what you don't know you've granted.

The apps accumulate through normal, legitimate use. An engineer tries a new observability tool during a free trial. A marketer connects a third-party scheduler to calendar. A finance lead plugs in a spreadsheet integration during a board-prep scramble. Each consent is individually innocuous. Collectively they become a sprawling, un-owned perimeter that no single employee is responsible for maintaining. The attacker counts on exactly this.

The five things to check today

1. Enumerate tenant-wide consented apps. In Microsoft 365: Entra admin center → Enterprise applications → All applications, filter by "Application type = Enterprise Applications." In Google Workspace: Admin console → Security → API controls → App access control → Manage third-party app access.
2. Audit scopes. Any app with Mail.Read, Files.Read.All, Directory.Read.All, or offline_access combined with broad read scopes is a priority review. If you can't immediately name the business owner of that grant, revoke first and ask questions later.
3. Check refresh-token age. In Entra: Sign-in logs filtered to refreshTokenIssued = true. In Workspace: Reports → Token audit log. Tokens older than 90 days with no recent user sign-in are candidates for revocation.
4. Enable the admin-consent workflow. Turn off user-level consent so employees cannot grant permissions on their own. Route every request through a named IT approver. Microsoft calls this "Admin Consent Workflow"; Google calls it "App access control → Restricted."
5. Add conditional-access policies around OAuth grant flows. Require multi-factor for consent operations specifically. Block consent initiated from unmanaged devices or unfamiliar locations.

How Celvex Sentry catches this

Governance Review enumerates every tenant-wide consented application, cross-references against a library of known-benign integrations, and flags anything novel, anything over 90 days idle, or anything with scope combinations associated with historical consent-phishing campaigns. Cloud & Infrastructure tracks refresh-token age and scope-escalation events against the SIEM. Every Fortress customer gets a monthly consented-app review report naming the specific grants to revoke, the specific business owners to contact, and the remaining residual risk after remediation.

Pen-testers hand you a PDF once a year; Celvex Sentry runs every attack they would, every week, and proves the ones that still work — with a fix attached.