Most phishing simulations still revolve around one familiar outcome: the target typed a password. That matters, but it is no longer the only account-access path defenders should care about. OAuth consent phishing is different. Instead of stealing credentials directly, the target is pushed into a legitimate Microsoft Entra consent screen and asked to approve an attacker-controlled application. If they click Accept , the application receives delegated API access under the requested scopes. That can mean reading mail, browsing files, sending messages as the victim, viewing calendars and more. What makes it especially dangerous is persistence. A stolen password dies on reset. A delegated OAuth grant can continue working after password changes, MFA changes and routine credential rotation until the grant is explicitly revoked. That is why the PhishU Framework now treats Microsoft Entra OAuth Consent Grant simulation as one of the most important techniques in the platform. The Microsoft Entra OAuth Consent Grant template lives directly in the PhishU Framework landing page gallery, alongside the rest of the phishing workflow. A Real Technique, Simplified In the real world, running a believable OAuth consent phishing assessment is usually difficult and time consuming. App registrations need to be configured. Redirect URIs need to be handled correctly. Authorization codes have to be exchanged for tokens. Tokens need to be stored safely. Then the operator still needs a way to prove impact afterward. The PhishU Framework compresses that into a workflow that feels simple. Select the Microsoft Entra OAuth Consent Grant template. Name the app. Pick the permissions. Enable the landing page. Send the campaign. When the target grants consent, the framework captures the delegated access and exposes it through the built-in Token Explorer. That is the real story here. This is not just support for a new lure page. It is a point-and-click workflow for a real-world Microsoft technique that is normally harder to operationalize than it should be. That also works cleanly for mobile-first delivery. If the operator uses a QR code in the email template and the campaign's landing page is the Microsoft Entra OAuth Consent Grant template, scanning the QR code takes the mobile user into that same OAuth consent flow as an alternative to clicking a hyperlink. That gives operators another realistic delivery path for environments where quishing-style lures make more sense than a standard email link. Operators control the app display name and the permission request directly inside the template configuration workflow. The target sees a real Microsoft consent flow, and the framework turns the resulting action into immediate operator visibility. Once the target approves the grant, the framework surfaces the Microsoft consent event immediately so the operator can move from delivery to validation in real time. Why OAuth Consent Grants Matter More Than Password Capture Credential capture is easy to explain. The user typed a password. The password was stolen. Reset it and the immediate risk is reduced. OAuth consent abuse is more serious because the user is authorizing an application, not just exposing a secret. Once the grant is approved, the application can keep interacting with Microsoft Graph under the approved scopes. If offline access is granted, tokens can be refreshed and reused over time. The result is persistent delegated access to business data through a legitimate identity flow. That changes the conversation in an assessment. Instead of saying, "a user clicked a link," the operator can show that the user approved durable access to their mailbox, OneDrive, calendar and other cloud data. The Token Explorer Is the Proof The biggest differentiator is what happens after consent is granted. Most tooling stops at token capture and leaves the operator to do the rest by hand. The PhishU Framework does not. The captured grant shows up in the results workflow with an interactive Token Explorer. Scope-dependent actions let the operator work directly from inside the platform. That can include reading inbox contents, rendering full emails, browsing files, creating calendar events, sending email as the victim, viewing Teams chats and refreshing access tokens when offline access was granted. That is the demo closer. Read their inbox. Browse their files. Send email as them. All from the Framework. After the notification, the operator can open the captured grant in the results workflow and use the Token Explorer to access scope-driven actions such as profile review, inbox access and file browsing. From there, mailbox content can be rendered directly inside the Framework, turning consent abuse from an abstract concept into concrete evidence. Calendar access and write actions can also be demonstrated when the requested Microsoft scopes allow it. Live Visibility Matters One reason this feature fits the PhishU model so well is that it is not isolated from the re...