Skip to main content
ThreatPhishing & impersonation

Workspace OAuth app install lure — email asks you to authorize a Slack / Teams / Jira / Notion / Asana app with broad scopes like channels:history or drive.readonly (2026 shadow-IT / SaaS compromise vector)

workspace-oauth-app-install-lure

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

Email lures the recipient into authorizing a malicious OAuth application on a collaboration platform (Slack, Microsoft Teams, Atlassian / Jira / Confluence / Trello, Notion, Asana, Linear, Zoom, Google Workspace, Monday, GitHub, GitLab, Bitbucket). One user approval on the consent screen grants the attacker persistent API-level access with the requested scopes — channels:history + chat:write (Slack), Chat.Read + Files.Read.All (Teams), jira:read + jira:write (Atlassian), drive.readonly (Google Workspace). No password, no MFA, no further user interaction needed; the attacker can read every message, download every file, and persist indefinitely until the token is manually revoked by an admin. Fires when body contains app-install flow language for a specific named platform AND OAuth / consent / scope / permissions language. Excludes known workspace-platform vendors (Slack, Microsoft, Atlassian, Notion, Asana, Linear, Zoom, Google, Monday, GitHub, GitLab, Bitbucket, Trello, Salesforce, Smartsheet), reply threads, and newsletters. Auto-classified as danger via the `-lure` suffix.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started