A growing share of successful mailbox compromise is not driven by password theft. It is driven by token theft and permission abuse. Recent reporting has highlighted how attackers can abuse legitimate Microsoft tooling and workflows, including the use of Copilot Studio agents in social engineering scenarios, to trick users into authorising access and handing over OAuth tokens. When this happens, the attacker may gain access to email, files, calendars, and other tenant data without ever needing the user’s password.
This is a critical shift for partners because it changes what “good hygiene” looks like. Strong passwords and MFA help, but they do not fully address consent-based access if policies allow risky approvals.
The partner takeaway, consent is the new credential
When a user clicks “accept” on the wrong consent prompt, it can create ongoing access that looks legitimate.
To reduce customer exposure, partners should prioritise:
- Consent governance
- Require admin approval for third-party app consent where possible
- Review existing enterprise applications and permissions, remove what is unused
- Monitor for new app registrations or unusual permission grants
- Token hygiene
- Ensure customers can revoke suspicious tokens quickly and confidently
- Incorporate token review into incident response playbooks
- User decision reduction
- The best strategy is removing the need for users to judge complex consent prompts
- Put guardrails in place so only vetted apps can request high-risk permissions
How to talk about this with customers
A calm, board-ready framing is: “Attackers are shifting from stealing what people know, to exploiting what people approve.” This is not a reason to panic. It is a reason to modernise governance around identities, permissions, and email access, especially in Microsoft 365 environments where productivity and security decisions often intersect.
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, AI-powered zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
