Why you need to know about consent phishing

Ring oss på +47 23507481 Tjenester IT for dine ansatte Dine IT-systemer Læringssenter Artikler Kundehistorier Eventer ...

Why you need to know about consent phishing

Most of you are familiar with attacks focused on users, such as email phishing or credential compromise. ...

Most of you are familiar with attacks focused on users, such as email phishing or credential compromise. Application-based attacks, such as consent phishing, is, however, new to many. This means most of you don’t know the extent of the threat and haven’t implemented the right measures to protect yourself and your company against it.


What is consent phishing? 

With consent phishing, attackers trick users into granting a malicious app access to sensitive data or other resources. So instead of trying to steal the user’s password, an attacker is seeking permission for an attacker-controlled app to access valuable data.

A consent phishing attack will pose as a pop-up from an application requesting extensive permissions. As with a safe application, the consent screen lists all the permissions the app will receive. Because of lack of knowledge, and because the malicious app usually uses a similar or the same name of a popular product used in the same ecosystem, many users accept the terms uncritically because they assume the app is trustworthy.

If you accept these terms, you grant the attackers access to sensitive data. Based on your privileges within the organization, you even risk granting the attackers extensive permissions to organizational data.


How does it work and why is it a risk?

It happens because by granting the malicious app access, it gets an authorization code, which it redeems for what is called an access token. One of the commonly implemented frameworks that issue tokens to users for access to systems is OAuth. These frameworks are used to verify who you are and determine what actions you are allowed to perform. When your identity has been established, the token allows actions to be authorized without passing your actual credentials.

The attackers use this access token to make API calls on your behalf and lets them access your e-mail, forwarding rules, files, contacts, notes, profiles, and other sensitive data.

When using a cloud-based email and granting an OAuth access token to a malicious application, the attackers can potentially gain long-term access to features of your account if a “refresh” token enabling background access is awarded. This enables the attackers to use the user-granted REST APT to perform email searching and contact enumeration functions.

These compromised access tokens may also be used as an initial step in compromising other services. If it grants the attackers access to the primary e-mail, it might, for example, extend access to these services by triggering forgotten password routines.

Having direct API access through a token inhibits the effect of a second authentication factor, and countermeasures such as changing passwords may not even work. Also – access abuse oven an API channel might be difficult to detect because the access can still align very well with a legitimate workflow.

In other words – consent phishing is a real and potentially a very dangerous threat. If you want to take the necessary steps to keep your IT environment safe from these kinds of security breaches, we are here to help.


What are the next steps? 

We have extensive knowledge about Microsoft 365 and how to configure your environment and ensure it's secured. We can lead you through the whole process of protecting your organization against consent phishing by helping your organization implementing the correct procedures and measures to protect it. We can assist your admin staff, notify your end-users, and audit your whole Microsoft 365 environment. We are also more than happy to help you in remediating any problems discovered through the audit.

To get started, we recommend that you check out our Security Report or do a separate check of enterprise applications and get started with admin consent right away.

Get notified on news

Be the first to know about new IT insights to build or refine with the tools and knowledge you need.