Since 2019, the global workplace has experienced immense increases in the use of collaborative applications such as Microsoft Teams, Hangouts, Zoom, and Slack.
While these legitimate applications enable remote employees to remain productive and connected to co-workers, cybercriminals have seized the opportunity to launch application-based attacks called ‘consent phishing’ to gain access to company data.
While most people are familiar with email phishing, consent phishing is application-based and harder to detect. At Securus Communications, we have been seeing a steady increase in consent phishing. Here is what you need to know about this latest form of malware attack.
What Is Consent Phishing?
Consent phishing is a specialised cyberattack that fools victims into offering permission through a malicious app that enables the attacker to access legitimate cloud services or sharing apps such as Microsoft 365 or Teams.
Most of us are familiar with phishing attacks in general, which involve the attacker attempting to obtain sensitive data or information by disguising it as a trustworthy entity.
The vehicle is often in the form of a malicious email that appears to come from a trusted source. When the recipient clicks on the link or attachment in the email, they inadvertently install or run malicious malware on their computer.
Consent phishing is a different beast. Using OAuth 2.0 technology, an attacker creates an app that spoofs trusted sources. Next, they send the link via email. Once the user downloads the app and accepts permissions, the attacker gains access to private data.
The app receives an access token that enables the attacker to make Application Program Interface (API) calls. With this, the attacker can access files, email, contacts, and other sensitive data.
What makes consent phishing so successful is that most users don’t understand that a malicious agent is now abusing the familiar sign-on they use with LinkedIn, Microsoft 365, or some other OAuth provider. Also, users often don’t understand the permission prompts either, as these prompts have become increasingly unclear and confusing.
Microsoft’s Consent Phishing Warning
Due to the rise in cloud services and related apps, attackers are leveraging the opportunity to benefit from application-based attacks. Often, such attacks utilise malicious Office 365 OAuth applications, giving cybercriminals access to victims’ Office 365 accounts and resources.
Microsoft reports that attackers are registering malicious apps with an OAuth 2.0 provider like Azure Active Directory, which makes them appear trustworthy. In response, Microsoft continuously identifies, disables, and blocks malicious apps as it discovers them. The company also secures its own applications by allowing users to see the apps’ consent policies. It also highlights apps that come from trusted publishers.
Microsoft stresses the importance of employing a Zero Trust security model with a multi-layer defence architecture. For example, Microsoft 365 Defender protects against consent phishing using multiple solutions: Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365, and Azure Active Directory (Azure AD).
Azure AD blocks users from granting consent to apps that it deems potentially risky. Further, admins can control when users can grant consent to apps. Microsoft recommends giving users consent control only for verified publishers.
Microsoft Defender for Office 365 provides durable protection against phishing and aids in blocking consent phishing campaigns altogether. It identifies malicious apps, prevents users from accessing them, and provides organisations with threat data.
Likewise, Microsoft Defender for Cloud Apps employs similar detection and OAuth app policies that help organisations manage apps connected to their cloud environment.
How to Identify Consent Phishing
By design, consent phishing messages are difficult to identify because they look authentic. However, there are some ways to identify consent phishing. For instance, be sure you recognise the name of the app or domain URL before you download anything.
Attackers often use names similar to legitimate companies, so they seem familiar. It’s essential to educate yourself and your staff about spotting phoney URLs that appear in phishing emails. They often contain minor spelling or grammar errors that are easy to overlook.
Another critical action is to stick with Publisher Verified apps. When an app is marked as Publisher Verified, you know its identity has gone through a verification process within the Microsoft Partner Network. You will see a blue badge on the Azure AD consent prompt. If you don’t see the badge, assume the link or file is malicious and report the message to your IT team right away.
Finally, Microsoft advises that organisations understand how permissions and consent work, especially in Microsoft’s platform. Staff needs to understand what data and permissions an application is asking for. Employees should only access the data they need, and administrators should also know how to evaluate and manage requests.
How to Protect Against Consent Phishing
Microsoft has built-in consent phishing protection within Microsoft 365. Note that you should follow Microsoft’s recommendation only to allow users to consent to app publishers verified in Azure Active Directory, which you can fund under the User Consent settings.
In addition to keeping this recommended setting, other ways to safeguard against phishing attacks are limiting user privileges, adding two-factor authentication (2FA), and disabling legacy authentication and their related services (examples are POP/IMAP/SMTP). We will discuss 2FA more in the next section.
Because phishing emails and consent phishing applications are becoming more sophisticated, they will remain difficult to spot and avoid. Furthermore, as remote working platforms continue to expand, security becomes all the more necessary.
One of the best ways to protect both business and staff is to invest in anti-phishing software (hardened for content phishing) and also enable Office 365 security services. If you are not sure of the best way to proceed, simply get in touch, and one of the Securus security team can go over your precise requirements.
Security service providers remain available to their customers to prevent phishing attacks through phishing protection services. Such providers employ the most current artificial intelligence technology and behavioural learning to identify phishing attacks. They also provide SPAM protection, which removes malicious email links from your employees’ inboxes.
Why 2FA Is Strongly Recommended
Two-factor identification adds an essential extra layer of protection to any account or online platform. 2FA makes it far more difficult for an attacker to access your data. Thus, it reduces the chances of a phishing attack and instances of data loss, fraud, and identity theft.
Of course, the first form of authentication is usually a username and password. While having a strong password is a reasonable security measure, malicious agents can steal passwords, especially weak or generic ones.
Here is where the second form of authentication comes into play. The second authentication is typically an SMS or email containing a PIN or code you enter. This second step is one that a hacker cannot replicate since they don’t have access to your smartphone or email account. Other types of 2FA are a face scan, fingerprint, or another Microsoft or Google app.
Staff Awareness and Security Training
Staff should be made aware of consent phishing and other phishing techniques. The best way to do this is to provide formal network security training to all staff, (Securus can run these sessions if you’d prefer). That training can cover many topics and should undoubtedly include information about consent phishing.
Some of the concepts involved in identifying consent phishing include checking incoming messages for poor spelling and grammar. Another tell-tale sign of phishing is when the application’s consent screen, potentially spoofed app names, and phoney domain URLs look like they are legitimate applications from a familiar company. There will, however, be some differences in the spelling or logo that are easy to spot if you are looking with a critical eye.
5 Other Common Phishing Techniques
Phishing is one of the most challenging threats companies face, and consent phishing is just one of many phishing techniques employed by criminals. Here are some of the most common phishing campaigns that target corporations:
1. Email phishing
Most phishing attacks deploy by email. The criminal agent registers a fake domain that represents an actual organisation. They send thousands of generic requests via email. As a general rule, you should always check the sender’s email address before clicking a link or attachment.
2. Spear phishing
Spear phishing is a more sophisticated type because the email is sent to a specific person or group. The criminals behind these attacks take time to gather enough information about the recipients to make their emails seem more legitimate.
Whaling attacks are even more targeted than spear phishing because they target senior executives. The messages are even more personalised, and the requests are more subtle and plausible. For example, some involve asking the recipient to verify bogus tax forms.
4. Smishing and Vishing
Smishing and vishing attacks deploy by telephone rather than email. Smishing messages arrive by text message, and vishing is a voice call. The criminal often poses as a fraud investigator from a bank or credit card company. They notify the victim that their account has been breached and then ask for card details for verification.
5. Angler phishing
A relatively new attack vector, angler phishing uses social media to trick people. Criminals use posts, tweets, and instant messaging to persuade people to divulge sensitive information or download malware. Also, criminals use the victims’ own posts to gather the information needed to create targeted attacks.
Due mainly to the COVID-19 pandemic, the global workspace has evolved into a work-from-anywhere model, where staff is remoting into the company network from a host of locations.
Because of this, security is challenged with keeping up with an ever-expanding threat landscape. Consent phishing is just one of the newer threats out there that must be mitigated by informed staff and security teams.
If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.