Modern applications integrate user and company data from cloud platforms to improve and personalize their experiences. These cloud platforms are rich in data, but have in turn attracted malicious actors who want to gain unjustified access to this data.
One of these attacks is so-called “Consent Phishing”, in which attackers trick users into giving a malicious application access to sensitive data or other resources. Instead of trying to steal the user’s password, an attacker seeks permission from an attacker-controlled application to access valuable data.
Although each attack is different, the core steps usually look something like this:
- An attacker registers an application with an OAuth 2.0 provider, such as Azure Active Directory.
- The application is configured to appear trustworthy, like using the name of a popular product used in the same ecosystem.
- The attacker receives a link in front of the user, which can be done by conventional email-based phishing, by compromising a non-malicious website, or by other techniques.
- The user clicks on the link and receives an authentic request for consent asking the malicious application to give permission for data.
- When a user clicks “Agree”, they give the application permission to access sensitive data.
- The application receives an authorization code, which it redeems for an access token and possibly a refresh token.
- The access token is used to make API calls on behalf of the user.
- If the user agrees, the attacker could gain access to their emails, forwarding rules, files, contacts, notes, profiles, and other sensitive data and resources.
Can evaluate and monitor trillions of signals with integrated security solutions from identity and access management, device management, threat protection and cloud security to identify malicious applications. “Using our signals, we were able to identify malicious applications and take action to fix them by disabling them and preventing users from accessing them. In some cases we have also taken legal action to protect our customers even better, ”explains Agnieszka Girling, Partner Group PM Manager at Microsoft.
There are a few steps you can take to protect your business. Some best practices include:
- Educate your organization about Consent Phishing tactics: pay attention to poor spelling and grammar. If an email message or the application’s consent screen has spelling and grammatical errors, it is likely a suspicious application. Pay attention to app names and domain URLs. Attackers like to fake app names that appear to be from legitimate applications or companies, but make you agree to malicious applications. Make sure you recognize the application name and domain URL before agreeing to an application.
- Identify applications that you trust and allow access to those applications. The same applies to applications that are “publisher verified”. Publisher verification helps administrators and end users recognize the authenticity of application developers. To date, over 660 applications from 390 Microsoft publishers have been verified. Configure application approval policies by allowing users to only approve specific applications that they trust, such as: B. Applications developed by your organization or verified publishers.
- Understand how the Microsoft approval and approval framework works. Review the data and permissions an application is asking for and learn how permissions and consents work within the Microsoft platform. Make sure that administrators know how to manage and evaluate consent forms. Check applications and approvals to ensure that the applications used only access the data they need and comply with the principles of least privilege.
Online seminar: Network security and network monitoring in the new normal
The Gigamon Visibility Platform is the catalyst for the fast and optimized provision of data traffic for security tools, network performance and application performance monitoring. Find out in this webinar how Gigamon solutions can increase the efficiency of your security architecture and save costs.