A new post by the Microsoft security team warns about a new type of phishing attack vector targeting users. Consent Phishing, as they refer to it as, targets users by asking for an egregious amount of permissions from Single-Sign-On allowing the bad actors to abuse the accounts they have been granted access to.
Taking advantage of the shift of a large number of employees from working in the office to working from home, attackers have begun abusing the increased need of employees to download and use cloud based applications. These applications often use Single-Sign-On resulting in a false sense of security from those who use the easy to use single click to sign up or install the application. These one click installations grant access to a variety of permissions that can be abused by bad actors and range from sending emails on users behalf, access to a users contact list, to having access to all files that a user has and the ability to create, modify, or delete them.
The potential for abuse is obvious if one of these compromising applications gets access to a user, and therefore must be protected against. While steps can be made to defend against users installing or connecting their accounts to these applications, understanding how the attack works and sharing that information can be an effective way to help train employees to recognize when they are being targeted.
How the Attack Works
- A bad actor registers their app with an OAuth 2.0 provider, like Azure Active Directory.
- The application is configured to make it appear trustworthy, such as emulating the name of a popular product or brand used but the industry.
- A link is sent to users, through a variety of ways including conventional email phishing.
- Once the user clicks the link they are shown the authentic consent prompt asking them to grant a variety of permissions to the malicious app.
- When the user accepts the permissions, they grant access to sensitive data to the application.
- The app gets an authorization code which it redeems for an access token, and potentially a refresh token.
- The access token is used to make API calls on behalf of the user.
This new attack vector relies on those targeted to blindly accept terms from what they believe to be trustworthy sources. The best way to defend against this new type of attack, and others, is to have a strong program in place that trains employees to be vigilant in identifying potential threats, how attacks can work, and what to do when they encounter a potential threat.
