Delivery Technique
Consent phishing works because the request happens inside a familiar identity flow. The user sees an app name, a permissions list, and a prompt that feels like normal SaaS plumbing. Even when no password is stolen, the result can be a durable permission grant to mailbox, calendar, files, contacts, or profile data.
Defensive Gaps
Organizations often move directly from "users can consent to everything allowed by default" to "users can consent to nothing." That swing can reduce exposure, but it also creates support load and encourages bypasses. Microsoft recommends restricting user consent to selected permissions and verified publishers, then using admin review for anything outside the policy.
Control Design
Use a two-lane model. The front door handles new requests through admin consent workflow, publisher checks, permission classification, and business justification. The cleanup lane handles existing grants by ranking apps by user count, privilege level, publisher trust, last activity, and whether the connected accounts touch sensitive mail or files.
Rollout Risks
Tenant-wide admin consent is powerful and easy to overuse. A popular app with many existing user grants is not automatically safe enough for broad approval. Before approving it, confirm the publisher, the requested scopes, the data path, support ownership, and whether user assignment can limit who actually receives access.
Recommended Controls
Create a monthly OAuth access review that produces decisions, not just a spreadsheet. Approve and assign known business apps, limit or block unknown apps with sensitive scopes, revoke stale grants, and publish a short user-facing process for requesting new tools without routing around security.