The 'Accept' button that hands over your mailbox: consent phishing, explained
A new wave of attacks skips passwords entirely: victims approve an innocent-looking app permission screen and hand criminals long-lived access to their Microsoft 365 mailbox and files. One setting shuts most of it down.
Most of us have seen this screen a hundred times: an app asks to "access your info," and we click Accept without reading it. Attackers have noticed.
In February 2026, a criminal service called EvilTokens went live. Within five weeks it had broken into more than 340 organizations using Microsoft 365, across five countries — without stealing a single password (The Hacker News, Cloud Security Alliance).
How the trick works
Cloud accounts like Microsoft 365 use a system called OAuth — think of it as the "connect this app to your account" feature. When you approve an app, Microsoft hands it a long-lived digital keycard (a token) that lets the app act on your behalf.
Consent phishing abuses that feature. The scam usually looks like this:
- You get an email or message that seems routine — a document to review, a sign-in code to enter, an app to approve.
- You sign in on the real Microsoft page and even complete your normal MFA (multi-factor authentication — the extra code or app prompt).
- You click Accept on a permission screen.
That click hands the attacker a valid keycard to your mailbox, files, calendar, and contacts. There's no stolen password to detect, and MFA can't save you — because MFA already happened, legitimately, on Microsoft's real website.
Why this one is sneakier than normal phishing
- Changing your password doesn't fix it. The attacker's token keeps working after a password reset. It only dies when someone revokes it directly.
- It can last weeks or months. These tokens quietly renew themselves.
- It looks normal in the logs. There's no suspicious sign-in from a strange country — just an "approved app" doing what approved apps do.
What a small business can do this week
- Look at what's already connected. In the Microsoft Entra admin center, an admin can list every third-party app your staff have approved. Most small businesses are surprised by what they find.
- Turn off self-serve consent. Microsoft lets you require admin approval before any new app can connect to company data. An employee who needs a legitimate app submits a request; you approve it once. Microsoft's own guidance walks through this (Microsoft Entra blog).
- Teach one new reflex. The old advice was "don't type your password into strange sites." The new addition: treat any unexpected "this app wants permission" screen as a stop sign — especially if an email pressured you to get there.
- If you suspect a bad approval, an admin should revoke the app's access and the user's active sessions — not just reset the password.
Permission screens are the new phishing link. The good news: unlike a phishing email, app consent is something you can centrally control in Microsoft 365 — it's one setting, and it dramatically shrinks this entire attack.
Tenant Strike's read-only posture checks include flagging risky third-party app consents and overly permissive consent settings in your Microsoft 365 tenant — so you can see what's connected before an attacker does.
AI-researched from public sources, human-reviewed on July 8, 2026. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.