OAuth phishing — sometimes called illicit consent grant attacks — tricks users into authorising malicious or abused applications to access their Microsoft 365 data. Unlike credential phishing which steals passwords, OAuth phishing captures a persistent access token that grants the attacker ongoing access to the user's account without needing their credentials or bypassing MFA.
First-party Microsoft applications are particularly dangerous in this context because they are trusted by default in most tenants and are less likely to trigger security warnings during the consent flow. Attackers can abuse the Family of Client IDs (FOCI) mechanism — a feature in the Microsoft identity platform that allows certain first-party apps to share refresh tokens — to escalate from a low-privilege app consent to broader access across multiple Microsoft services.
This technique allows attackers to maintain persistent access that survives password resets, because the OAuth token is independent of the user's credentials.
OAuth consent flows using first-party Microsoft apps are routine in normal M365 usage. Legitimate scenarios include:
The alert becomes suspicious when: the consent was triggered by an unusual OAuth redirect URI, the application involved is not one the user would typically interact with, the consent grant happened outside business hours or from an unusual location, or the application requests permissions significantly broader than its stated purpose.
Overe Auto-Response: The OAuth Phishing via First-Party Microsoft Application alert can be configured in Overe to trigger automatic session revocation or account block when suspicious OAuth activity is detected. Review your Auto-Response settings under Org Config > Auto-Response to ensure an appropriate automated response is configured.
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
After investigating an OAuth phishing alert, review these related risk areas: