By now, we all know the traditional way of phishing. But what if we say that attackers are not always going after credentials and that Multi-Factor Authentication won’t protect you in all cases? Microsoft has been warning organizations for so called consent phishing attacks. Here the user sign-in takes place at a legitimate identity provider (e.g. Microsoft) and not on a fake landing page as we see with traditional phishing attempts. The users are tricked into granting permissions to malicious attacker-controlled cloud applications with a simple and valid popup. And let’s be honest, we all know that a high percentage of the users don’t read the popup message before clicking the ‘accept’ button.
Having a user granting permissions to a malicious OAuth cloud application can allow the attacker to read and write mailboxes, files, chats, organization info, policies, configurations, logs, resources, users and more on behalf of the user. After extracting data or performing malicious actions, the attackers can maintain their persistence and continue to further compromise the target organization.
By default, non-admin users can register custom-developed cloud applications with limited permissions in your tenant, without any admin consent or approval. These limited permissions can be used by the attacker to escalate their privileges and lateral move within your organization.
Consent phishing attacks sophisticate the existing threat landscape even more. Here, the importance of implementing a Zero Trust security model is again demonstrated. Therefore, we suggest our Zero Trust Assessment to identify your current standing of cloud security operations, as well as to determine what the next stage is and how to get there.
