When a Galway professional services firm enabled MFA across their entire Microsoft 365 environment in early 2025, the managing director felt they had finally closed the door on account compromise. Six months later, an attacker had persistent, silent access to three senior staff mailboxes — without ever cracking a password or intercepting an MFA code. The attack had bypassed MFA entirely by exploiting a feature that Microsoft 365 provides legitimately: the ability for users to grant third-party applications access to their accounts.
This is not a theoretical vulnerability. It is a live, widespread attack technique that the NCSC Ireland has flagged as an active threat. For Irish SMEs running Microsoft 365, understanding how it works and what to do about it is now a priority security task.
WHAT: How Consent Phishing Bypasses MFA
The attack is known as consent phishing or, in technical terminology, an illicit consent grant attack. It works by tricking a user into granting an attacker's malicious application access to their Microsoft 365 account — access that, once granted, persists indefinitely and does not require a password or MFA code to use.
The attack unfolds in stages. First, the target receives a convincing phishing email — a shared document notification, an invoice alert, or a voicemail message. The email looks legitimate. The link leads to what appears to be a standard Microsoft sign-in page. The user enters their username and password. They then receive their normal MFA prompt on their phone and approve it.
This is where the attack diverges from what the user expects. Immediately after the MFA approval, a new screen appears: a Microsoft permissions page asking the user to grant access to an application — something with an innocuous name like "Office365 Sync" or "Mail-archive." Because the user has just completed a legitimate-seeming login sequence, they click Accept without reading the permission request carefully.
That single click grants the attacker an OAuth access token — a persistent digital key that allows their application to read the entire mailbox, access OneDrive files, browse SharePoint documents, and monitor Teams conversations. They do not need another password. They do not need another MFA code. They are simply in, and they stay in until someone specifically revokes the application's access.
This is a fundamentally different kind of attack from the phishing emails your team has been trained to spot. There is no suspicious attachment. The MFA prompt is genuine. The attack exploits the legitimate permissions infrastructure built into Microsoft 365, not a flaw in it.[^1]
Has someone already granted an unknown application access to your company's Microsoft 365 data? Book a free 20-minute strategy call — we can walk you through the audit process and close any gaps we find.
WHAT NOW: A Prioritised Response for Irish SMEs
Protecting against this threat does not require significant budget. It requires specific, deliberate action across three areas.
Educate your team this week. The most important step costs nothing. Explain this specific attack to your staff in plain English. The message is simple: no legitimate business process will ever ask you to approve an unexpected application permission request. If any team member sees a screen asking them to grant access to an application they do not recognise — particularly immediately after logging in — they must stop, close the browser, and report it before clicking anything. This is the kind of targeted awareness that standard phishing training often does not cover, because it is a newer technique. The NCSC Ireland's published guidance on phishing provides useful background context on how these attacks are structured.[^2]
Audit your Microsoft 365 application permissions. Right now, you may have no idea which applications have been granted access to your company's data. An IT administrator can review this in the Microsoft Entra admin centre, previously called Azure Active Directory. Look under Enterprise Applications. Any application you do not recognise should be investigated and, if there is any doubt, revoked. This audit should be a routine task, not a one-time exercise.
Restrict user consent for third-party applications. Microsoft 365 has a built-in setting that closes the door on this entire class of attack: you can disable the ability for non-administrators to grant consent to new applications. Under this setting, any new application requesting access to company data must be explicitly approved by an administrator — not by any individual staff member who clicks a link in an email. This is a single configuration change in the Microsoft Entra admin centre, but it is one of the highest-impact security settings available to an Irish SME running Microsoft 365.
Review mailbox rules on any affected accounts. If you suspect a staff member may have already been compromised, check their mailbox immediately for unusual forwarding rules — particularly rules that forward all incoming email to an external address or that automatically delete certain messages. These rules are a common technique attackers use to maintain intelligence access to a mailbox after the initial compromise.
WHY IT MATTERS: The Consequences for Irish Businesses
An attacker with persistent access to a senior staff member's mailbox has access to everything that passes through that account — client communications, financial instructions, supplier details, personnel matters, and commercially sensitive negotiations. The consequences unfold in two ways.
The first is financial fraud. An attacker who monitors your email can identify payment instructions, supplier invoice patterns, and client transactions. They can insert themselves at the right moment — sending a message from your genuine email address with fraudulent bank details, or redirecting a payment by a client who trusts your domain. An Garda Síochána's National Cyber Crime Bureau reports that business email compromise of exactly this type costs Irish businesses millions every year.[^3]
The second is a GDPR breach. If personal data belonging to clients or employees was accessible in the compromised mailbox, you have a potential 72-hour notification obligation to the Data Protection Commission. The Data Protection Commission expects organisations to have technical controls in place to limit the risk of exactly this kind of unauthorised access — and the absence of the application consent restrictions described above is a control gap that will be examined if a breach notification is made.
Enabling MFA was the right move. Restricting application consent is the next one.
WHAT NEXT: Three Actions to Take This Week
1. Ask your IT administrator to audit Microsoft 365 application permissions today. Review every application listed in the Entra admin centre's Enterprise Applications section. Revoke access for anything unfamiliar.
2. Disable user consent for third-party applications in Microsoft 365. Make administrator approval mandatory for any new application requesting access to company data.
3. Brief your team on consent phishing. Keep the message simple: if you see a permissions screen after logging in that you did not expect, do not click Accept — report it first.
Related Reading
- Microsoft 365 Security Settings Every Irish SME Should Enable Today
- MFA Rollout Roadmap: Essential 8 to CyFUN Protect
- Incident Response Planning: What to Do Before a Cyber Attack Hits
[^1]: NCSC Ireland — advice and guidance for organisations on phishing and access security: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission Ireland — breach notification and technical controls: https://www.dataprotection.ie [^3]: An Garda Síochána — National Cyber Crime Bureau on business email compromise: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.