← Blog

The 'Accept' button that hands over your mailbox: consent phishing, explained

Tenant Strike3 min read

A new wave of attacks skips passwords entirely: victims approve an innocent-looking app permission screen and hand criminals long-lived access to their Microsoft 365 mailbox and files. One setting shuts most of it down.

Most of us have seen this screen a hundred times: an app asks to "access your info," and we click Accept without reading it. Attackers have noticed.

In February 2026, a criminal service called EvilTokens went live. Within five weeks it had broken into more than 340 organizations using Microsoft 365, across five countries — without stealing a single password (The Hacker News, Cloud Security Alliance).

How the trick works

Cloud accounts like Microsoft 365 use a system called OAuth — think of it as the "connect this app to your account" feature. When you approve an app, Microsoft hands it a long-lived digital keycard (a token) that lets the app act on your behalf.

Consent phishing abuses that feature. The scam usually looks like this:

  1. You get an email or message that seems routine — a document to review, a sign-in code to enter, an app to approve.
  2. You sign in on the real Microsoft page and even complete your normal MFA (multi-factor authentication — the extra code or app prompt).
  3. You click Accept on a permission screen.

That click hands the attacker a valid keycard to your mailbox, files, calendar, and contacts. There's no stolen password to detect, and MFA can't save you — because MFA already happened, legitimately, on Microsoft's real website.

Why this one is sneakier than normal phishing

  • Changing your password doesn't fix it. The attacker's token keeps working after a password reset. It only dies when someone revokes it directly.
  • It can last weeks or months. These tokens quietly renew themselves.
  • It looks normal in the logs. There's no suspicious sign-in from a strange country — just an "approved app" doing what approved apps do.

What a small business can do this week

  1. Look at what's already connected. In the Microsoft Entra admin center, an admin can list every third-party app your staff have approved. Most small businesses are surprised by what they find.
  2. Turn off self-serve consent. Microsoft lets you require admin approval before any new app can connect to company data. An employee who needs a legitimate app submits a request; you approve it once. Microsoft's own guidance walks through this (Microsoft Entra blog).
  3. Teach one new reflex. The old advice was "don't type your password into strange sites." The new addition: treat any unexpected "this app wants permission" screen as a stop sign — especially if an email pressured you to get there.
  4. If you suspect a bad approval, an admin should revoke the app's access and the user's active sessions — not just reset the password.

Permission screens are the new phishing link. The good news: unlike a phishing email, app consent is something you can centrally control in Microsoft 365 — it's one setting, and it dramatically shrinks this entire attack.

Tenant Strike's read-only posture checks include flagging risky third-party app consents and overly permissive consent settings in your Microsoft 365 tenant — so you can see what's connected before an attacker does.

AI-researched from public sources, human-reviewed on July 8, 2026. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.