How to Protect Your Remote Workforce From Consent Phishing

As a large number of the world’s workforce shifted to working from home, attackers have turned their attention to this new group of remote workforce by leveraging the cyberattack called “consent phishing” to gain access to valuable data in cloud services.

What Is Consent Phishing?

Consent phishing is a cyberattack in which an attacker lures a victim to click on a malicious app. This malicious app masquerades as a legitimate app, tricking the victim to give consent to such malicious app and giving the attacker access to the victim’s sensitive data or other resources.

In the blog post "Protecting your remote workforce from application-based attacks like consent phishing," Agnieszka Girling, Partner Group PM Manager at Microsoft warned about consent phishing. While each consent phishing attack tends to vary, Girling said, the basic steps typically follow these steps:

First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory.

Second, the malicious app is developed in such a way that it appears, at first glance, as legitimate through the use of the name and logo of a popular product.

Third, the attacker tricks a victim to click on a malicious link. The malicious link is delivered by email, website, or other techniques.

Fourth, the victim clicks the malicious link and is asked to grant the malicious app permissions.

Fifth, once the victim grants the malicious app permissions, the malicious app gets an authorization code which it redeems for an access token, and potentially a refresh token.

Sixth, the access token is then used to access a cloud service on behalf of the victim.

Consent phishing is also known as OAuth phishing as this type of cyberattack abuses the OAuth protocol – an authentication protocol that allows websites and applications to request limited access to a user's cloud account without the need for a password. With OAuth, instead of a password, an authorization token is used to authenticate.

Real-Life Example of Consent Phishing Attack

PhishLabs reported that an attacker used a malicious Microsoft 365 app to gain access to a victim’s legitimate Microsoft 365 account. According to PhishLabs, the attacker presented the link of the malicious Microsoft 365 app via a traditional phishing message impersonating an internal SharePoint and OneDrive file-share.

PhishLabs said that the link provided led to a Microsoft 365 legitimate login page. After the victim logged in or if previously logged in, the victim was then presented with the Microsoft 365 access permissions request. Access approval granted the attacker full control of the victim’s Microsoft 365 account.

According to PhishLabs, the Microsoft 365 app was created using the information of a legitimate organization. “This is likely due to the organization having been previously compromised, allowing attackers to leverage their development credentials in building the app,” PhishLabs said.

Cybersecurity Best Practices Against Consent Phishing

In consent phishing attacks, the typical remediation steps such as resetting passwords or requiring Multi-Factor Authentication (MFA) on accounts aren’t effective as the malicious apps are external to the organization.

According to Microsoft, consent phishing attacks “leverage an interaction model which presumes the entity that is calling the information is automation and not a human.”

Microsoft recommends the following measures to detect and remediate consent phishing attacks targeting your organization’s Microsoft cloud environment:

Detect Malicious Apps Using Alerts

OAuth policies can be set automatically to send notifications when an OAuth app meets certain criteria. For instance, an OAuth policy can be set to send a notification when an OAuth app requires high permissions and was authorized by more than 50 users.

Detect Malicious Apps by Hunting

In detecting malicious apps by hunting, OAuth apps are reviewed based on suspicious name or suspicious publisher.

“Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app,” Microsoft said. “Misleading publisher names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as an app coming from a known and trusted publisher.”

Remediation

Once it’s determined that the OAuth app is malicious, the following remediations can be undertaken:

• Revoking the malicious app’s permission in the Azure Active Directory Portal by navigating to the affected user in the Azure Active Directory User blade, selecting applications, selecting the illicit application, and clicking Remove in the drill down
• Revoking the OAuth consent grant with PowerShell by following the steps in Remove-AzureADOAuth2PermissionGrant
• Revoking the Service App Role Assignment with PowerShell by following the steps in Remove-AzureADServiceAppRoleAssignment
• Disabling sign-in for the affected account
• Turning integrated applications off for your organization’s tenancy