Entra ID OAuth Consent Can Grant ChatGPT Access to Emails

OAuth consent in Entra ID can grant apps like ChatGPT email access after approval, exposing hidden risks that may bypass MFA and enable persistent access.

We have all been there- quickly clicking the “Accept” option on a long list of permissions to get a new app running or new software installed. However, new research from the firm Red Canary suggests this common habit can be a goldmine for hackers.

By examining how a legitimate app like ChatGPT connects to corporate accounts, researchers found that its permission request process can sometimes be used by hackers to sneak into a person’s private inbox.

The Contoso Case Study

Researchers didn’t just guess how this happens; they tracked a specific scenario on 2 December 2025. An employee at a firm called Contoso Corp, identified as [email protected], linked the ChatGPT app to their work account.

The app, which has a specific App ...