Threat actors are always looking for new ways to abuse trusted platforms, and Microsoft Entra ID is increasingly becoming a target through a technique known as OAuth consent abuse.
A newly documented attack scenario shows how a malicious or overly permissive third-party application—one that closely resembles a trusted tool like ChatGPT—can quietly gain access to a corporate user’s inbox without ever needing the user’s password.
OAuth, short for Open Authorization, is the standard protocol that lets applications access a user’s data with their permission.
In Entra ID, when a user connects a third-party app to their Microsoft account, they are shown a consent prompt listing the permissions the app is requesting.
Attackers exploit this by building or disguising an application that asks for sensitive permissions like Mail.Read, which—once accepted—gives the app full access to read everything in the user’s email account.
Red Canary analysts identified a case study in which a corporate user, TestUser@ContosoCorp.onmicrosoft.com, added ChatGPT as a third-party service principal within an Entra ID tenant and consented as a non-admin to the following OAuth permissions: Mail.Read, offline_access, profile, and openid.
Though this particular investigation concluded that the application was the genuine OpenAI-owned ChatGPT, the investigation steps followed the same sequence as a real-world incident Red Canary had previously observed in the wild.
The action was traced to IP address 3.89.177.26 and took place on December 2, 2025, at 20:22:16 UTC.
The real danger is not specific to ChatGPT—it is the attack pattern itself. Any third-party application, whether legitimate or malicious, that obtains the Mail.Read permission through user consent can silently read every message in the targeted inbox.
In a genuine attack, a threat actor could design a convincingly named application, push it through a phishing link, and then harvest sensitive emails, internal correspondence, or credentials without the victim ever realizing their account has been compromised.
What compounds this risk is the fact that Entra ID, by default, allows standard, non-admin users to consent to applications requesting permissions that do not require administrator-level approval.
This means a single employee with no elevated access can inadvertently expose sensitive organizational data simply by accepting what looks like a normal app connection request.
How the Consent Attack Works Inside Entra ID
When a user is directed to connect an application—whether through a phishing email, social engineering, or legitimate browsing—two specific audit log events are recorded inside Entra ID: “Add service principal” and “Consent to application.”
Both events carry a shared CorrelationId, enabling security teams to link them together and trace the full consent chain back to a single user action.
Red Canary’s detection approach focuses on flagging non-admin consent grants tied to newly introduced third-party applications that include one or more commonly abused OAuth scopes.
A key indicator is the AppOwnerOrganizationId field inside the audit log—when this value does not match the tenant’s own ID or known Microsoft first-party identifiers, the application is third-party and should be treated with immediate suspicion.
Abused scopes most frequently seen in these attacks include Mail.Read, Files.Read.All, Chat.Read, and Sites.Read.All.
When a malicious or unsanctioned consent grant is confirmed, two remediation steps should be taken right away.
The OAuth permission grant should first be revoked using the grant ID pulled from the Consent to application audit event, followed by removing the service principal from the tenant using its object ID. Both tasks can be completed using Microsoft Graph PowerShell commands.
On the prevention side, Microsoft provides three configurable consent policy options. The most secure approach requires an administrator to approve all consent requests, removing the ability for non-admin users to authorize any applications.
A more balanced setting restricts consent to verified publishers with pre-approved, low-risk permissions.
Microsoft’s recommended configuration automatically applies its own current user consent guidelines to the organization, providing a workable middle ground between security and operational convenience.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
