Security
12 min read
99 views

SaaS-to-SaaS OAuth Worms: The "Consent" Virus

IT
InstaTunnel Team
Published by our engineering team
SaaS-to-SaaS OAuth Worms: The "Consent" Virus

SaaS-to-SaaS OAuth Worms: The “Consent” Virus 🐛☁️

Executive Summary

In 2026, the era of “Identity is the New Perimeter” has evolved into “Interconnectivity is the New Vulnerability.” The latest cybersecurity threat isn’t a brute-force password attack or a zero-day exploit. It is the SaaS-to-SaaS OAuth Worm — a self-propagating “Consent Virus” that exploits the legitimate API connections between cloud applications.

This article dissects the anatomy of these attacks, connects them to real campaigns documented throughout 2025, and provides actionable defense strategies for Microsoft 365 and Google Workspace administrators.

The New Attack Surface: “Helper Apps” & AI Integrations

By 2026, the average enterprise user connects over 50 third-party applications to their corporate identity. These aren’t just Shadow IT — they are “productivity boosters” like AI schedulers, grammar checkers, and meeting assistants.

Security teams have spent a decade fortifying the front door (MFA, SSO, biometrics). The OAuth Worm walks through the back door. It doesn’t break in; it asks to be let in. Once authorized, it doesn’t need your password — it has your OAuth Access Token, a digital key that works even after a credential change.

The “AI-Meeting-Summarizer” Scenario

The most prominent example of this threat pattern is the “AI-Meeting-Summarizer” worm. Here is the infection lifecycle:

  1. Patient Zero — A user receives a helpful email from a colleague (who is already infected) inviting them to “Collaborate on this meeting summary” using a new AI tool.

  2. The Lure — The email isn’t a traditional phishing link. It originates from a legitimate internal domain (e.g., user@company.com) because the sender’s account is automating the invite via API.

  3. The Hook — The user clicks the link and sees a standard Microsoft 365 or Google Workspace OAuth consent screen. It looks 100% authentic — because it is.

  4. The Payload (The “Consent”) — The app requests permissions such as:

    • Contacts.Read — to identify new victims
    • Mail.Send — to spread the worm
    • Files.ReadWrite.All — to exfiltrate data
    • Offline_Access — to maintain access indefinitely

  5. The Spread — The moment the user clicks “Accept,” the worm uses the granted API token to scan the user’s frequent contacts and sends 50 personalized invites from the victim’s own email address.

Time to infect an entire department: < 15 minutes.

Real-World Precedents (2025–2026)

These aren’t theoretical scenarios. The attack pattern played out at scale in 2025 and is accelerating in 2026.

The Salesloft-Drift Supply Chain Breach (March 2025)

One of the most consequential OAuth incidents of 2025 illustrates the SaaS-to-SaaS blast radius perfectly. Attackers accessed Salesloft’s GitHub repository, then exploited Drift integration OAuth tokens to reach Salesforce instances across more than 700 organizations. Obsidian Security researchers noted the damage was 10x greater than incidents where attackers targeted Salesforce directly — because one compromised integration cascaded across hundreds of downstream environments simultaneously.

The lesson: a single OAuth link in your SaaS supply chain can be an entry point into your entire business ecosystem.

The Chrome Extension Consent Wave (Late 2024–2025)

A consent phishing campaign targeting Google Chrome extension vendors impacted an estimated 2.6 million end users across at least 35 commonly used extensions, including the cybersecurity firm Cyberhaven. A compromised employee account gave attackers access to the Chrome Web Store, allowing them to publish malicious versions of extensions that harvested OAuth credentials at scale.

The “ShadyPanda” Browser Campaign (December 2025)

The “ShadyPanda” campaign accumulated approximately 4.3 million installs across Chrome and Edge extensions, exfiltrating data through cookie and session token theft — entirely outside the visibility of endpoint detection tools.

Microsoft 365 OAuth App Impersonation (2025, Ongoing)

Proofpoint identified a sustained campaign using fake Microsoft 365 OAuth applications impersonating trusted brands including Adobe, DocuSign, RingCentral, and SharePoint. These campaigns targeted nearly 3,000 user accounts across more than 900 Microsoft 365 environments, with a confirmed account compromise success rate exceeding 50%. The malicious apps acted as gateway lures, redirecting victims to adversary-in-the-middle (AiTM) phishing kits like Tycoon to harvest session cookies and MFA tokens simultaneously.

State-Aligned OAuth Abuse (September 2025)

Proofpoint observed a suspected Russia-aligned threat actor tracked as UNK_AcademicFlare abusing OAuth device code authorization for targeted account takeover. The actor used compromised government and military email accounts to build rapport before sending spoofed OneDrive links that drew victims into device code phishing flows. Primary targets included government, academic, think tank, and transportation sectors across the US and Europe.

The Evolution: “ConsentFix” — The Next Mutation (December 2025)

Just as defenders began locking down third-party OAuth consent flows, Push Security researchers documented a significant mutation in December 2025: ConsentFix.

ConsentFix is a browser-native attack that bypasses even the stricter OAuth consent configurations Microsoft began rolling out in 2025. Here’s why it’s more dangerous than its predecessors:

The mechanism: Rather than tricking a user into clicking “Allow” on a consent prompt, ConsentFix socially engineers the victim into copying and pasting a legitimate OAuth authorization code URL back into the attacker’s phishing page. The victim effectively hands the attacker a valid session — entirely within the browser, without installing any software or triggering an MFA challenge.

The first-party loophole: ConsentFix specifically targets Azure CLI — a first-party Microsoft application that is implicitly trusted in every Entra ID tenant. Because Azure CLI is a Microsoft-native app, it cannot be blocked or deleted by administrators. It can request elevated permissions without triggering admin approval workflows, and third-party app restriction policies simply don’t apply to it.

The phishing-resistant bypass: If the victim already has an active browser session for their Microsoft account, no login is required at all. This means ConsentFix circumvents phishing-resistant authentication methods, including passkeys.

This represents a fundamental shift: attackers are no longer just exploiting the third-party app consent gap — they are exploiting the implicit trust that cloud platforms extend to their own tooling.

Anatomy of an OAuth Worm: Why It Bypasses Legacy Security

It Bypasses MFA

MFA protects the authentication moment — the login. OAuth worms exploit authorization — the permissions grant. Since the user is already logged in with a valid session, clicking “Accept” on a consent prompt does not trigger an MFA challenge in most default configurations. Because attackers leverage non-human identities operating via OAuth 2.0 API access, MFA protections are rendered ineffective against subsequent token abuse.

Living off the Cloud (LotC)

The attack installs no malware on the endpoint. There is no .exe for CrowdStrike or Windows Defender to flag. The malicious logic lives entirely in the attacker’s cloud infrastructure (AWS/Azure/GCP), communicating directly with your tenant’s APIs — Microsoft Graph API or Google Workspace APIs.

Trusted Invites

Spam filters rely on reputation signals. When the worm sends emails from internal-employee@yourcompany.com to another-employee@yourcompany.com, the message is signed with valid DKIM and SPF records. It sails through “Safe Senders” allow-lists because it originates from a trusted internal account.

Persistence via Refresh Tokens

Even if the victim changes their password, the attack persists. OAuth apps use Refresh Tokens to generate new Access Tokens without user interaction. Unless the app permission is explicitly revoked, the attacker retains access for up to 90 days or more — surviving password resets, MFA re-enrollment, and account lockouts.

The Token IS the Key

Bearer tokens provide no sender validation. A stolen OAuth token works from any location, device, or network without reauthentication. Once an attacker obtains a valid OAuth token — through consent phishing, token theft, or third-party compromise — they bypass authentication controls entirely. Whoever holds the token has the keys.

The “Agentic” Threat: AI-Driven Context

In 2024, researchers demonstrated Morris II — the first generative AI worm. By 2026, this concept has matured into operational attacks.

Modern OAuth worms use LLMs to read the victim’s recent emails and calendar data, then generate context-aware invites that are virtually indistinguishable from legitimate colleague communications:

Old Phishing 2026 AI-Assisted OAuth Worm
“Please look at the attached invoice.” “Hey Sarah, I used this AI tool to summarize our budget call from Tuesday. It captured the Q3 projection discussion well — check it out.”

This high-context social engineering makes skepticism nearly impossible for the average employee. The message is personalized, references real conversations, and arrives from a trusted colleague’s actual email address.

Notably, ClickFix — a technique closely related to ConsentFix — was the top initial access vector detected by Microsoft across all of 2025, involved in 47% of attacks.

Platform Responses: What Changed in 2025

Microsoft’s July 2025 Default Policy Shift

In a significant defensive move, Microsoft announced that starting July 2025, users would by default be unable to consent to third-party applications accessing their files and sites. Users must instead request administrator approval through the Admin Consent workflow. Entra ID’s risk-based step-up consent now automatically escalates consent requests for multi-tenant apps without a verified publisher to require admin approval — preventing end users from directly consenting to suspicious apps they encounter via phishing URLs.

This is a major improvement, but it does not fully address the ConsentFix and first-party app bypass vectors.

Google Workspace Controls

Google Workspace administrators can configure API Controls to restrict third-party app access. The recommended posture is to allow only domain-owned apps and specific allow-listed third-party apps, blocking all others by default. This significantly reduces the attack surface for consent phishing campaigns.

Defense Strategies: Inoculating Your Organization

Protecting against the Consent Virus requires a shift from “Identity Security” to “App Governance.”

1. The “Kill Switch”: Restrict User Consent

Microsoft 365: - Navigate to Entra ID > Enterprise Applications > Consent and Permissions - Select “Allow user consent for apps from verified publishers only” (recommended) or disable user consent entirely - Enable the Admin Consent Workflow so users can request apps without self-approving - Verify your tenant is using the managed consent policy introduced in July 2025

Google Workspace: - Navigate to Security > API Controls > App Access Control - Trust internal, domain-owned apps only; maintain an explicit allow-list for approved third-party apps - Block all other apps from accessing Google Workspace APIs by default

2. Audit and Purge (The “App Hygiene” Protocol)

Your environment almost certainly contains dormant, over-privileged apps granted months or years ago. Use your CASB or Microsoft Defender for Cloud Apps to filter for:

  • Apps holding Mail.Send or Contacts.Read permissions
  • Apps with “Low Community Trust” or “Unverified Publisher” status
  • Apps granted consent by more than 10 users in under 24 hours — a strong indicator of an active worm spread
  • Any app combining offline_access with Files.ReadWrite.All or Mail.ReadWrite — a high-risk scope combination associated with long-dwell exfiltration

3. Anomaly Detection for API Usage

Standard EDR is blind to cloud-native OAuth attacks. You need ITDR (Identity Threat Detection and Response) with specific alert rules:

  • “New OAuth app granted high-risk permissions” — alert on first occurrence
  • “Anomalous outbound email volume from internal account” — especially identical subject lines sent to internal distribution lists
  • “New multi-tenant app with offline_access + Files.ReadWrite.All” — investigate within 60 minutes
  • “First-time external tenant DM + mailbox rule creation + new OAuth grant” within a 24–48 hour window — this trifecta is a high-confidence worm indicator
  • “Publisher domain change on an existing app” — a potential signal of supply chain compromise

4. Treat First-Party Apps with New Scrutiny

ConsentFix demonstrated that Microsoft-native apps like Azure CLI can be weaponized in ways that bypass third-party app restrictions entirely. Review Conditional Access policies to cover device code authorization flows, and consider implementing sign-in origin conditions to flag authentications from unexpected locations or devices.

5. The “Consent Phishing” Simulation

Run OAuth Consent simulations alongside traditional phishing tests:

  • Send a fake “Update your Calendar App” email to your user base
  • Direct users to a simulated consent screen
  • Track how many click “Accept” without checking the publisher

The goal is training users to look for the “Verified Publisher” blue checkmark before approving any consent screen — and to report unexpected OAuth prompts to IT security rather than dismissing or accepting them.

Recovery: What to Do If You Are Infected

If you detect an OAuth worm spreading in your tenant, work through these steps in order:

Step 1: Revoke the App Globally

Microsoft 365: In Entra ID, locate the Enterprise Application, go to “Properties,” and set “Enabled for users to sign-in?” to No. Delete the app assignment and service principal.

Google Workspace: In API Controls, block the specific Client ID of the malicious app.

Step 2: Revoke Refresh Tokens

Changing passwords is not enough — you must explicitly revoke OAuth tokens.

PowerShell (M365):

Revoke-MgUserSignInSession -UserId <UserObjectID>

Run this for all affected users, not just the initially reported cases.

Google Workspace: Reset sign-in cookies and revoke connected apps in each user’s security settings.

Step 3: Sweep Internal Emails

Use Microsoft Content Search or eDiscovery to locate and hard-delete the worm’s invite emails from all mailboxes — including the Sent Items of compromised accounts. Undeleted invites will continue generating new victims.

Step 4: Audit Exfiltration Scope

If the app held Files.ReadWrite.All or Mail.Read permissions and had a live Offline_Access token, treat data exfiltration as presumed. Scope which SharePoint sites, OneDrive folders, or mailboxes were accessed during the token’s dwell period and initiate breach assessment procedures accordingly.

The Threat Model is Shifting: What 2026 Demands

The 2026 threat model for phishing must acknowledge that attackers achieve account takeover through authentication flows, OAuth consent, device code authorization, and browser-native token theft — not just password harvesting. It is no longer sufficient to protect email as your primary anti-phishing perimeter.

The distinction matters operationally. Your SEG can block a malicious link. It cannot block a consent prompt that arrives via a legitimate internal email from a compromised colleague’s account. It cannot see a copy-paste action in the browser.

The Consent Virus proves that in a cloud-native world, a malicious app is far more dangerous than a malicious file. By implementing strict consent policies, adopting ITDR tooling alongside EDR, and treating every OAuth integration request with the same scrutiny as an executable file, organizations can break the chain of infection before it engulfs their cloud environment.

Key Takeaways

  • OAuth consent attacks bypass MFA entirely because they exploit authorization, not authentication
  • The Salesloft-Drift breach (March 2025) showed a single compromised integration cascading to 700+ organizations — a 10x blast radius vs. direct attacks
  • “ConsentFix” (December 2025) is a browser-native mutation that bypasses even admin consent restrictions by targeting trusted first-party apps like Azure CLI
  • Microsoft made restrictive consent the default in July 2025 — verify your tenant is compliant and test it
  • Revoke tokens, not just passwords — a compromised OAuth refresh token survives a full credential reset
  • ITDR is not optional: standard endpoint detection is blind to cloud-native OAuth exploitation
  • ClickFix / ConsentFix variants accounted for nearly half of all initial access vectors observed by Microsoft in 2025

The OAuth threat landscape is evolving faster than most audit cycles. Review your app consent policies, run an app hygiene audit, and verify your ITDR alerting covers non-interactive API token abuse — before your next all-hands calendar invite becomes the Patient Zero.

Related Topics

#OAuth worm, SaaS worm, OAuth consent abuse, consent phishing, malicious OAuth app, SaaS-to-SaaS attack, cloud worm attack, OAuth abuse 2026, Microsoft 365 OAuth attack, Google Workspace OAuth attack, consent grant attack, API abuse worm, SaaS helper app abuse, AI integration security, trusted app phishing, internal app phishing, OAuth token abuse, OAuth token theft, OAuth lateral movement, cloud lateral movement, enterprise SaaS attack, OAuth supply chain attack, SaaS supply chain security, cloud identity attack, OAuth scopes abuse, excessive OAuth permissions, OAuth overprivilege, OAuth app impersonation, OAuth invite abuse, calendar invite worm, email invite worm, collaboration platform attack, Teams OAuth attack, Slack OAuth attack, Zoom OAuth abuse, Google Drive OAuth abuse, Microsoft Graph API abuse, Google APIs abuse, OAuth persistence attack, SaaS persistence mechanism, shadow IT OAuth apps, rogue OAuth apps, OAuth app sprawl, cloud app governance, OAuth security monitoring, detect malicious OAuth apps, revoke OAuth tokens, OAuth app lifecycle management, zero trust SaaS security, identity-based attacks, cloud identity compromise, phishing without passwords, passwordless attack vector, consent-based attack, OAuth consent screen spoofing, SaaS trust abuse, enterprise cloud breach, cloud-native malware, worm via API, SaaS automation abuse, AI agent OAuth abuse, SaaS integration risk, OAuth threat modeling, OAuth attack chain, cloud security posture management OAuth, CASB OAuth risks, SaaS security 2026

Keep building with InstaTunnel

Read the docs for implementation details or compare plans before you ship.

Read DocumentationView Pricing

Share this article

Share on XShare on LinkedIn

More InstaTunnel Insights

Discover more tutorials, tips, and updates to help you build better with localhost tunneling.

Browse All Articles