Article
OAuth Consent Abuse: A Trust Boundary Collapse in Microsoft 365
A malicious browser extension exploited OAuth consent in Microsoft 365 to gain full tenant access. No password or MFA was required. The attack bypassed all perimeter controls and created a persistent, unrevocable access path-highlighting a fundamental flaw in identity trust models.