Microsoft is warning users that the shift to remote working during the pandemic has exposed organizations to additional security threats including consent phishing.
Unlike traditional phishing attacks where cybercriminals try to steal user credentials, consent phishing is a technique where attackers trick users into granting a malicious app access to sensitive data or other resources.
Once an attacker has compromised a victim’s Office 365 account, they can then obtain access to their mail, files, contacts, notes, profiles and other sensitive information and resources stored in their organization’s SharePoint or OneDrive accounts.
In a blog post, partner group PM manager at Microsoft, Agnieszka Girling explained why application-based attacks have grown in popularity among cybercriminals, saying:
“While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. While you may be familiar with attacks focused on users, such as email phishing or credential compromise, application-based attacks, such as consent phishing, is another threat vector you must be aware of.”
In a consent phishing attack, cybercriminals trick victims into providing malicious Office 365 OAuth applications access to their Office 365 accounts. Malicious Office 365 OAuth applications are web apps that attackers have registered with an OAuth 2.0 provider such as Azure Active Directory to appear more legitimate.
Once this has been done, an attacker will send the link to users either through email-based phishing, by compromising a non-malicious website or by using other techniques. If a user clicks on the link, they will be shown an authentic consent prompt asking them to grant the malicious app permissions to their data.
When a user accepts this request, the malicious app is then granted permissions to access their sensitive Office 365 data. The malicious app then receives an authorization token which it redeems for an access token that is then used to make API calls on behalf of the user.
To protect against consent phishing, Microsoft recommends that organizations educate their employees on the tactics used in these attacks including poor spelling and grammar as well as spoofed app names and domain URLs. Promoting the use of applications that have been publisher verified and configuring application consent policies can also help protect against these kinds of attacks.