What is OAuth token abuse?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably clicked "Connect with Google" or "Sign in with Microsoft" when setting up a third-party app. That's OAuth doing its job. It lets an app access your account without ever seeing your password. Convenient for legitimate tools, useful for attackers too.
OAuth token abuse is when an attacker tricks you into granting their malicious app access to your account. Once you click "Allow", they get a token. That token works like a permanent key, and it doesn't stop working just because you change your password. (That's the part that catches most people off guard.)
Here's how it typically plays out. You get an email that looks like it's from Google Workspace or Microsoft 365, asking you to connect a "required" productivity app. You click through, the OAuth consent screen appears, you approve it, and that's it. The attacker now has persistent access to read your email, send on your behalf, or even forward everything to an outside inbox.
What makes this especially tricky for email is that phishing campaigns built around OAuth abuse don't need to steal your password at all. No brute force. No credential dump. Just a convincing-looking permission request and one click from you.
To protect yourself and your team, here's what actually helps:
- Audit connected apps regularly. In Gmail, go to your Google Account security page and look under "Third-party apps with account access". In Outlook, check under "Apps and services" in your Microsoft account. You might find things you don't remember authorizing.
- Revoke anything unfamiliar. If you don't recognize an app or haven't used it in months, pull the token. Revoking access is instant and permanent for that token.
- Be suspicious of OAuth requests from email. Legitimate services rarely send you an email asking you to re-authorize an app out of nowhere. That's a red flag worth pausing on.
- If you manage a team, restrict which apps can request OAuth access. Both Google Workspace and Microsoft 365 let admins whitelist approved apps so individual users can't accidentally grant access to untrusted tools.
Think of it this way. Changing your password after an account compromise is the obvious move, but if an attacker already has an OAuth token, your new password does nothing. Revoking app access is the step people miss.
If you suspect something is wrong with your email account right now, our SOS hotline is free and we'll help you figure out what's actually happening.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.