1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

8/17/2020

0 Comments

What Is Consent Phishing and How to Prevent Such Attack

 
what is consent phishing

What Is Consent Phishing and How to Prevent Such Attack

SANS Institute, the largest provider of cybersecurity training and certification to professionals, recently admitted that it fell victim to consent phishing attack, leading to the theft of 28,000 records of personally identifiable information.

This recent successful consent phishing attack on SANS Institute highlights the growth of this type of cyberattack.

What Is Consent Phishing?

Consent phishing is a type of cyberattack that tricks victims into getting their permission via a malicious app to access legitimate cloud services such as Microsoft 365, formerly known as Office 365.

In a conventional phishing attack, an attacker attempts to obtain sensitive information or data by disguising oneself as a trustworthy individual or entity. The traditional way of launching a phishing attack is via email.

In leveraging an email for a conventional phishing attack, an attacker sends a malicious email to the target. This email masquerades as coming from a trusted individual or entity. Clicking on the link or attachment provided in the phishing email could lead to the installation and running of a malicious software (malware) on the email receiver's computer.

According to SANS Institute, the consent phishing attack was discovered last August 6th as part of a systematic review of email configuration and rules. SANS's internal investigation of the incident showed that the company's email configuration and rules werechanged, allowing the forwarding of emails to an external email address.

The change of the email forwarding configuration and rules allowed the forwarding of 513 emails to a suspicious external email address. Approximately 28,000 records of personally identifiable information were forwarded to a suspicious external email address, SANS said in its Data Incident 2020 report.

The information sent to the suspicious external email address includesemail address, work title, first name and last name, work phone, company name, industry, address and country of residence.

How the Consent Phishing Attack Unfolded?

In its Data Incident 2020 – Indicators of Compromise, SANS Institute reported that on July 24, 2020, several of its employees received an email with the subject “Copy of sans July Bonus 24JUL2020.xls”. The recipients of the email were enticed to click on the “Open” button to read the purported "Bonus" document in the Enabler4Excel 365 format – the new version of the popular Enabler4Excel add-in built to work on Microsoft Excel 2016 or higher and Microsoft Excel Online.

Clicking on the Open button, however, initiates the installation of a malicious Microsoft 365 app. Once installed, the malicious app changes the affected email’s forwarding rule and forwarding emails with the following keywords to an external email address: Bank, bic, capital call, cash, Contribution, dividend, fund, iban, Payment, purchase, shares, swift, transfer, Wire and wiring info.

According to SANS Institute, only one employee's email account was impacted in the consent phishing attack.

Consent Phishing: An Application-Based Threat

Consent phishing is an application-based threat in which an attacker seeks the target's permission for an attacker-controlled app to access valuable data stored in a cloud service.

In the blog post "Protecting your remote workforce from application-based attacks like consent phishing", Agnieszka Girling, Partner Group PM Manager at Microsoft said that consent phishing is another threat vector that organizations must be aware of. Girling said that consent phishing typically follows the following steps:

First, an attacker registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory. OAuth 2.0 is an industry-standard protocol for authorization, granting users of websites or applications access to other websites without the need of passwords.

Second, the malicious app is designed in such as a way that makes it seem trustworthy, such as using the name of a popular product used in the same IT environment.

Third, the attacker presents a link in front of the target via conventional email-based phishing, by compromising a legitimate website, or other techniques.

Fourth, the target clicks the link and is shown an authentic-looking consent button asking the target to grant the malicious app permission to access data in a particular cloud service.

Fifth, once the target clicks on the consent button, the malicious app is then granted access to sensitive data stored in a cloud service such as Microsoft 365. The consent button is so powerful as it unwitting grants the attacker access to the target's Microsoft 365 account contents, including email, forwarding rules, files, contacts, profile and materials stored in the target's OneDrive cloud storage space and corporate SharePoint document management and storage system.

Cybersecurity Best Practices Against Consent Phishing

On the part of Microsoft, the company said that it filed legal actions against criminals who deployed consent phishing designed to compromise Microsoft customer accounts. The company said its Digital Crimes Unit (DCU) first observed in December 2019 cybercriminals deploying consent phishing calling it “a sophisticated, new phishing scheme”.

Here are some cybersecurity best practices in order to prevent or mitigate the effects of consent phishing:

  • Use multi-factor authentication
  • Block email auto-forwarding to make it difficult for cybercriminals to steal data
  • Train employees to spot phishing campaigns
  • Verify the app name and domain URL before consenting to an app.
  • Configure app consent policies by allowing employees to only consent to specific apps that your organization verified, such as apps from verified publishers or developed by your organization.
  • Audit apps and consented permissions in your organization to make sure that apps being used are accessing only the data needed and following the principle of least privilege – referring to the concept and practice of restricting access rights of users to the bare minimum to perform the required job.

Need help with cybersecurity risk mitigation to better protect your valuable assets? Call us today 1.888.900.DRIZ (3749) or email [email protected]

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit