Thought leadership. threat analysis, news and alerts.
What Is Consent Phishing and How to Prevent Such Attack
SANS Institute, the largest provider of cybersecurity training and certification to professionals, recently admitted that it fell victim to consent phishing attack, leading to the theft of 28,000 records of personally identifiable information.
This recent successful consent phishing attack on SANS Institute highlights the growth of this type of cyberattack.
What Is Consent Phishing?
Consent phishing is a type of cyberattack that tricks victims into getting their permission via a malicious app to access legitimate cloud services such as Microsoft 365, formerly known as Office 365.
In a conventional phishing attack, an attacker attempts to obtain sensitive information or data by disguising oneself as a trustworthy individual or entity. The traditional way of launching a phishing attack is via email.
In leveraging an email for a conventional phishing attack, an attacker sends a malicious email to the target. This email masquerades as coming from a trusted individual or entity. Clicking on the link or attachment provided in the phishing email could lead to the installation and running of a malicious software (malware) on the email receiver's computer.
According to SANS Institute, the consent phishing attack was discovered last August 6th as part of a systematic review of email configuration and rules. SANS's internal investigation of the incident showed that the company's email configuration and rules werechanged, allowing the forwarding of emails to an external email address.
The change of the email forwarding configuration and rules allowed the forwarding of 513 emails to a suspicious external email address. Approximately 28,000 records of personally identifiable information were forwarded to a suspicious external email address, SANS said in its Data Incident 2020 report.
The information sent to the suspicious external email address includesemail address, work title, first name and last name, work phone, company name, industry, address and country of residence.
How the Consent Phishing Attack Unfolded?
In its Data Incident 2020 – Indicators of Compromise, SANS Institute reported that on July 24, 2020, several of its employees received an email with the subject “Copy of sans July Bonus 24JUL2020.xls”. The recipients of the email were enticed to click on the “Open” button to read the purported "Bonus" document in the Enabler4Excel 365 format – the new version of the popular Enabler4Excel add-in built to work on Microsoft Excel 2016 or higher and Microsoft Excel Online.
Clicking on the Open button, however, initiates the installation of a malicious Microsoft 365 app. Once installed, the malicious app changes the affected email’s forwarding rule and forwarding emails with the following keywords to an external email address: Bank, bic, capital call, cash, Contribution, dividend, fund, iban, Payment, purchase, shares, swift, transfer, Wire and wiring info.
According to SANS Institute, only one employee's email account was impacted in the consent phishing attack.
Consent Phishing: An Application-Based Threat
Consent phishing is an application-based threat in which an attacker seeks the target's permission for an attacker-controlled app to access valuable data stored in a cloud service.
In the blog post "Protecting your remote workforce from application-based attacks like consent phishing", Agnieszka Girling, Partner Group PM Manager at Microsoft said that consent phishing is another threat vector that organizations must be aware of. Girling said that consent phishing typically follows the following steps:
First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory. OAuth 2.0 is an industry-standard protocol for authorization, granting users of websites or applications access to other websites without the need of passwords.
Second, the malicious app is designed in such as a way that makes it seem trustworthy, such as using the name of a popular product used in the same IT environment.
Third, the attacker presents a link in front of the target via conventional email-based phishing, by compromising a legitimate website, or other techniques.
Fourth, the target clicks the link and is shown an authentic-looking consent button asking the target to grant the malicious app permission to access data in a particular cloud service.
Fifth, once the target clicks on the consent button, the malicious app is then granted access to sensitive data stored in a cloud service such as Microsoft 365. The consent button is so powerful as it unwitting grants the attacker access to the target's Microsoft 365 account contents, including email, forwarding rules, files, contacts, profile and materials stored in the target's OneDrive cloud storage space and corporate SharePoint document management and storage system.
Cybersecurity Best Practices Against Consent Phishing
On the part of Microsoft, the company said that it filed legal actions against criminals who deployed consent phishing designed to compromise Microsoft customer accounts. The company said its Digital Crimes Unit (DCU) first observed in December 2019 cybercriminals deploying consent phishing calling it “a sophisticated, new phishing scheme”.
Here are some cybersecurity best practices in order to prevent or mitigate the effects of consent phishing:
Steve E. Driz, I.S.P., ITCP