Consent-Phishing Attacks – It’s a Thing | Quisitive
Solutions
Integration & Consulting
Help you move, operate, innnovate and thrive within the Microsoft clouds.
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Explore the full list of technologies that our expert consultants can support.
Azure
Microsoft Teams
Microsoft 365
Power Platform
Dynamics 365
Power BI
Microsoft Copilot
Power Apps
Azure OpenAI
Sharepoint
Microsoft Fabric
Microsoft Sentinel
Azure Synapse
Windows
SQL Server
ERP Technologies
System Center
Microsoft Viva
Azure Virtual Desktop
Business Needs
Departmental solutions to ensure cloud and technology enablement across every area of your business.
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Help you translate software so you can capture new business worldwide.
Language Engineering & NLP
Translations & Localization
Licensing
Experts in Microsoft cloud licensing and optimizing costs for your business.
Products
EmPerform
Provide people managers with flexible employee performance management software.
Velocity Insights
Monitor, analyze, and prioritize .NET, JavaScript or Node JS errors – all on one dashboard.
AgeChecker.net
Ensure local and federal compliance with our age verification tool for retail.
PowerGov
Engage citizens with a community development app for city maintenance and management.
MazikCare
Embrace patient-centered, collaborative care with our suite of real-time health solutions.
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
AMS
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
ShopFloor
Empower production managers with cutting-edge manufacturing process management.
Spyglass
Take a proactive, continuous approach to optimizing your security environment and strategy.
Managed Services
Azure Management Services
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
App Dev Program
Ongoing enhancements, app security, DevOps and reporting for apps running in Azure.
Data & AI Program
Operational support for running, monitoring and managing services for the Azure Data Platform.
Dynamics Program
Ensure the health of your Dynamics environments, optimize usage and encourage user adoption.
Digital Workplace Program
Optimize Microsoft 365 security, usage and user adoption with our digital workplace experts.
Security Program
Take a proactive, continuous approach to optimizing your security environment and strategy.
Power Platform Program
Get an extension of your team that ensures the health of your Power Platform.
Quisitive Flex
Routine support services and environment management for critical Microsoft systems
Industries
Manufacturing
Education
Public Sector
Financial Services
Healthcare
Energy
Retail
Software
Resources
Blogs
Case Studies
Library
Newsletters
Events
News
Learning Channels
About
Investors
Leadership
Microsoft
Our Approach
Our Partners
Our Story
Awards & Recognition
Careers
Support
Contact us
Solutions
Back
Solutions
Integration & Consulting
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Azure OpenAI
Microsoft Copilot
Microsoft Fabric
Azure
Azure Synapse
Azure Virtual Desktop
System Center
SQL Server
Microsoft Sentinel
Microsoft 365
Sharepoint
Microsoft Teams
Microsoft Viva
Windows
Power Platform
Power BI
Power Apps
Dynamics 365
ERP Technologies
Business Needs
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Language Engineering & NLP
Translations & Localization
Licensing
Products
Back
Products
EmPerform
AgeChecker.net
MazikCare
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
ShopFloor
Velocity Insights
PowerGov
AMS
Spyglass
Managed Services
Back
Managed Services
Azure Management Services
Data & AI Program
Digital Workplace Program
Power Platform Program
App Dev Program
Dynamics Program
Security Program
Quisitive Flex
Industries
Back
Industries
Manufacturing
Healthcare
Education
Energy
Public Sector
Retail
Financial Services
Software
Resources
Back
Resources
Blogs
Events
Case Studies
News
Library
Learning Channels
Newsletters
Investors
Back
Investors
Financial Reports & Results
Investor News
Earning calls
Contact
Contact us
About
Back
About
Our Story
Investors
Microsoft
Leadership
Our Partners
Awards & Recognition
Our Approach
Careers
Support
Search
Back
Terms of use
Privacy policy
Consent-Phishing Attacks – It’s a Thing
March 10, 2021
Quisitive
We provide assistance to identify consent-phishing threats among many and implement protections for them. See how we can help you today.

As COVID dramatically shifted how people work over the last long year,  many businesses have accelerated their adoption of cloud services to support collaboration and productivity from virtually anywhere, but namely from home.

Over the past year, our Spyglass Security & Compliance team has witnessed explosive increases in the adoption of applications such as Microsoft Teams, Zoom, Hangouts, and many other apps. Of key interest for this post, is the “other apps” mention.  How our workforce personnel access company resources warrants even more focus for businesses, and here’s why. While legitimate application use (e.g., Teams, Zoom, Hangouts) has accelerated and enabled employees to be productive remotely and remain connected to co-workers despite work from home mandates, attackers have focused on application-based attacks to gain unauthorized access to your data.  This is where the “other apps” need to be scrutinized carefully, as some could be malicious.

While much of our workforce personnel are familiar with attacks focused on users, such as email phishing or credential compromise, application-based attacks such as consent phishing is another threat vector to be aware of.  Today we wanted to share one of the ways application-based attacks can target the valuable data your organization cares about, and what you can do today to stay safe.  Our Spyglass services team works with our clients to help continually improve security posture while enabling more collaboration (securely). Functionally, we provide assistance to identify threats such as consent-phishing among many and implement protections for them, in order to reduce the risks of such attacks.

However, when we meet many new clients through our award-winning M365 Security Assessment, we consistently identify malicious apps interacting with client Office 365 environments due to poorly configured (or unconfigured) security protections and also due to successful attacks involving consent-phishing attacks carried out on victim users. Below is an illustration of one such (and common) consent-phishing attack.  Notice that an application named Email from a publisher name Test, was consented by a user and is actively interacting via OAuth with Office 365 targeting contacts, data, and other potentially sensitive information.

M365 Security Assessment - OAuth Consent-Phishing
Consent screen from an M365 Security Assessment revealing a successful consent-phishing attack.. Unfortunately, we routinely find successful attacks when we perform our M365 Security Assessment for new clients. The findings are scary, but we can protect you.

Developers create apps that integrate user and organizational data from cloud platforms to enhance and personalize their experiences. Cloud platforms are rich in data but in turn have attracted malicious actors seeking to gain unwarranted access to this data. One such attack is consent phishing, where attackers trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user’s password, an attacker is seeking permission for an attacker-controlled app to access valuable data.

While each attack tends to vary, the core steps usually look something like this:

  1. An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
  2. The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques.
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  5. If a user clicks accept, they will grant the app permissions to access sensitive data.
  6. The app gets an authorization code which it redeems for an access token, and potentially a refresh token.
  7. The access token is used to make API calls on behalf of the user.

If the user consents (or accepted the app’s requested access, then the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources.

An image of a Consent screen from a sample malicious app named “Risky App."
Consent screen from a sample malicious app named “Risky App”

Guidance to protect your organization

With Microsoft’s integrated security stack, we are able to identify and take measures to remediate malicious apps by disabling them and preventing users from accessing them. In some instances. Microsoft has also taken legal action to further protect its customers. While attackers will always persist, there are steps you can take to further protect your organization. Some best practices include the following:

  • Check for poor spelling and grammar. If an email message or the application’s consent screen has spelling and grammatical errors, it’s likely to be a suspicious application.
  • Keep a watchful eye on app names and domain URLs. Attackers like to spoof app names that make it appear to come from legitimate applications or companies but drive you to consent to a malicious app. Make sure you recognize the app name and domain URL before consenting to an application.
  • Check out Attack Simulator and Training or ask Quisitive to show you how it works or implement it for you

Promote and allow access to apps you trust:

  •   Promote the use of applications that have been publisher verified.  Publisher verification helps admins and end-users understand the authenticity of application developers. Over 660 applications by 390 publishers have been verified thus far.
  • Configure application consent policies by allowing users to only consent to specific applications you trust, such as application developed by your organization or from verified publishers.

The increased use of cloud applications has demonstrated the need to improve application security. For additional best practices and safeguards review Microsoft’s Detect and Remediate Illicit Consent Grants in Office 365 and Five steps to securing your identity infrastructure which provide additional good guidance based on best-practices.

Hope this helps. Stay Safe.

Until next time,

Ed

Related posts
|
Read more
Ebook PDF Preview Image: Unlocking the Next Frontier in Cybersecurity
Security | 23 Apr
eBook: Unlocking the Next Frontier in Cybersecurity
Read more
Quisitive team at HIMSS 2024
Security | 18 Apr
Reflecting on HIMSS 2024: Key Insights for Healthcare Leaders
Read more
Copilot Security Concerns blog - a team of technology professionals sits around a table, having a meeting with their laptops in front of them
Security | 28 Mar
Navigating Security in Copilot for Microsoft 365: Avoiding the Pitfalls of Oversharing 
Read more