Phishing attacks have mutated. Now they don't need to steal your password or bypass MFA. Cybercriminals exploit the OAuth protocol to trick you into authorizing a malicious application. By doing so, you unknowingly grant access to your data, and MFA doesn't activate because the consent process is outside traditional authentication. At foro3d.com, we explain how this silent threat works.
The technical mechanism behind the OAuth attack 🛡️
The attack begins with a link that simulates being from a legitimate service, such as Google or Microsoft. By clicking, the victim is redirected to the OAuth consent screen, where permission is requested to access emails, contacts, or files. The user, trusting, accepts. The attacker receives an access token that allows them to interact with the service's API without needing credentials. MFA, designed to protect login, does not intervene here because the token has already been granted. The defense depends on reviewing each requested permission.
Consent: the new revolving door of security 🚪
It turns out that after years of setting up MFA and using complex passwords, the weak link remains our enthusiasm for clicking on everything that shines. Now, instead of stealing your key, they ask for permission with a pretty form, and you, like a generous host, open the door wide for them. After all, why steal when you can politely ask for the keys? The irony is that MFA stays so calm, like a doorman who was told he doesn't work today.