Thought leadership. threat analysis, news and alerts.
As a large number of the world’s workforce shifted to working from home, attackers have turned their attention to this new group of remote workforce by leveraging the cyberattack called “consent phishing” to gain access to valuable data in cloud services.
What Is Consent Phishing?
Consent phishing is a cyberattack in which an attacker lures a victim to click on a malicious app. This malicious app masquerades as a legitimate app, tricking the victim to give consent to such malicious app and giving the attacker access to the victim’s sensitive data or other resources.
In the blog post "Protecting your remote workforce from application-based attacks like consent phishing," Agnieszka Girling, Partner Group PM Manager at Microsoft warned about consent phishing. While each consent phishing attack tends to vary, Girling said, the basic steps typically follow these steps:
First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory.
Second, the malicious app is developed in such a way that it appears, at first glance, as legitimate through the use of the name and logo of a popular product.
Third, the attacker tricks a victim to click on a malicious link. The malicious link is delivered by email, website, or other techniques.
Fourth, the victim clicks the malicious link and is asked to grant the malicious app permissions.
Fifth, once the victim grants the malicious app permissions, the malicious app gets an authorization code which it redeems for an access token, and potentially a refresh token.
Sixth, the access token is then used to access a cloud service on behalf of the victim.
Consent phishing is also known as OAuth phishing as this type of cyberattack abuses the OAuth protocol – an authentication protocol that allows websites and applications to request limited access to a user's cloud account without the need for a password. With OAuth, instead of a password, an authorization token is used to authenticate.
Real-Life Example of Consent Phishing Attack
PhishLabs reported that an attacker used a malicious Microsoft 365 app to gain access to a victim’s legitimate Microsoft 365 account. According to PhishLabs, the attacker presented the link of the malicious Microsoft 365 app via a traditional phishing message impersonating an internal SharePoint and OneDrive file-share.
PhishLabs said that the link provided led to a Microsoft 365 legitimate login page. After the victim logged in or if previously logged in, the victim was then presented with the Microsoft 365 access permissions request. Access approval granted the attacker full control of the victim’s Microsoft 365 account.
According to PhishLabs, the Microsoft 365 app was created using the information of a legitimate organization. “This is likely due to the organization having been previously compromised, allowing attackers to leverage their development credentials in building the app,” PhishLabs said.
Cybersecurity Best Practices Against Consent Phishing
In consent phishing attacks, the typical remediation steps such as resetting passwords or requiring Multi-Factor Authentication (MFA) on accounts aren’t effective as the malicious apps are external to the organization.
According to Microsoft, consent phishing attacks “leverage an interaction model which presumes the entity that is calling the information is automation and not a human.”
Microsoft recommends the following measures to detect and remediate consent phishing attacks targeting your organization’s Microsoft cloud environment:
Detect Malicious Apps Using Alerts
OAuth policies can be set automatically to send notifications when an OAuth app meets certain criteria. For instance, an OAuth policy can be set to send a notification when an OAuth app requires high permissions and was authorized by more than 50 users.
Detect Malicious Apps by Hunting
In detecting malicious apps by hunting, OAuth apps are reviewed based on suspicious name or suspicious publisher.
“Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app,” Microsoft said. “Misleading publisher names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as an app coming from a known and trusted publisher.”
Once it’s determined that the OAuth app is malicious, the following remediations can be undertaken:
Steve E. Driz, I.S.P., ITCP