How to detect and respond to OAuth consent attacks in Google...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://redcanary.com/blog/threat-detection/google-workspace-oauth-attack/
• Blog Title: How to detect and respond to OAuth consent attacks in Google Workspace
• Suggested Section: GWS - Workspace Pentesting -> (new page) OAuth Consent / Token Grant Abuse (Consent Phishing) + Detection/Response (Admin Reports 'token' audit, GAM token inventory) OR add under "GWS - Google Platforms Phishing"

🎯 Content Summary

What the post is about
This post explains an OAuth consent (“consent phishing”) attack path in Google Workspace that can turn a single user’s authorization click into persistent API access for an attacker-controlled OAuth application. It then ties that OAuth access to supply-chain impact by abusing the Chrome Web Store API scope to modify/publish Chrome extensions. The post is primarily detection-and-response focused and includes concrete **Admin Reports audit log fiel...

🔧 Technical Details

OAuth consent phishing (Google Workspace): social-engineer a victim into approving an attacker-controlled OAuth client on a legitimate Google consent screen. After consent, the attacker gains API access via OAuth tokens that can persist until revoked and may bypass repeated MFA challenges, making it a durable foothold without password theft. Detection should pivot on Google Admin Reports OAuth Token audit events where events.name is authorize, extracting client_id, app_name, and scope/scope_data to identify suspicious new authorizations.

Scope-to-supply-chain escalation: request OAuth scopes that grant control over a distribution or admin surface (e.g., https://www.googleapis.com/auth/chromewebstore). Once granted, use the corresponding API (Chrome Web Store API in this case) to modify/publish assets the victim manages, delivering malicious updates that can steal session cookies/auth tokens from downstream users and enable account takeover in third-party services...

🤖 Agent Actions

Summary
Added a focused OAuth consent abuse detection/response section (Admin Reports token audit fields, GAM baselining, alerting logic, response, mitigations) to the Google Workspace OAuth phishing page and updated references.

Files Updated

• src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md

Tests

• Not run (docs-only change).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 583
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://redcanary.com/blog/threat-detection/google-workspace-oauth-attack/

Content Categories: Based on the analysis, this content was categorized under "GWS - Workspace Pentesting -> (new page) OAuth Consent / Token Grant Abuse (Consent Phishing) + Detection/Response (Admin Reports 'token' audit, GAM token inventory) OR add under "GWS - Google Platforms Phishing"".

Repository Maintenance:

• MD Files Formatting: 583 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0