Google Workspace OAuth Token Theft Campaign — Attackers Bypassing MFA via Malicious App Authorizations
A large-scale campaign is targeting Google Workspace users with malicious OAuth app authorization requests that grant attackers persistent access to Gmail, Drive, and Calendar — bypassing MFA entirely. Over 15,000 organizations targeted in April 2026.
How the Attack Works
The campaign uses a technique called OAuth phishing or consent phishing. Attackers send emails to Google Workspace users that appear to come from legitimate services — document sharing notifications, calendar invites, or productivity tool recommendations. When the user clicks the link, they are taken to a real Google OAuth authorization page (not a fake login page) that asks them to grant permissions to a malicious application. Because the authorization page is genuinely hosted by Google, it passes all URL and certificate checks. If the user clicks Allow, the malicious app receives an OAuth token granting it persistent access to the user's Gmail, Drive, and Calendar — without ever needing the user's password or MFA code. The OAuth token remains valid until explicitly revoked, even if the user changes their password.
Why MFA Does Not Stop This
OAuth token theft is particularly dangerous because it completely bypasses MFA. The attacker never needs to know the user's password or intercept an MFA code — they simply need the user to click Allow on an OAuth authorization request. Once the token is issued, the attacker has persistent API-level access to the user's data that is independent of the user's login session. Changing the user's password does not revoke existing OAuth tokens. The only way to remove the attacker's access is to explicitly revoke the malicious app's authorization in the Google account settings or Google Workspace admin console.
Auditing and Remediating Your Google Workspace
Google Workspace administrators should immediately audit all third-party OAuth app authorizations across your organization. In the Google Workspace admin console, go to Security > API Controls > App Access Control to see all apps that have been granted access to your organization's data. Review each app and revoke access for any apps you do not recognize, no longer use, or that have excessive permissions. Enable Google Workspace's OAuth app allowlisting to prevent users from authorizing new third-party apps without administrator approval. This prevents the attack entirely — even if a user clicks Allow on a malicious OAuth request, the authorization will be blocked pending admin review. Additionally, train employees to be skeptical of OAuth authorization requests, particularly those requesting broad permissions like access to all Gmail messages or all Drive files. Legitimate productivity tools typically request only the specific permissions they need. Enable Google Workspace's advanced phishing and malware protection to catch the initial phishing emails before they reach users.
- Audit all third-party OAuth app authorizations in your Google Workspace admin console immediately
- Revoke access for any apps you do not recognize or no longer use
- Enable Google Workspace's OAuth app allowlisting to prevent users from authorizing unapproved apps
- Train employees to scrutinize OAuth permission requests — legitimate apps rarely need access to all Gmail and Drive data
- Enable Google Workspace's advanced phishing and malware protection in the admin console
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.