August 3, 2020


Connecting People

Microsoft warns users of the dangers of consent phishing

Microsoft is warning consumers that the change to distant performing through the pandemic has exposed businesses to more stability threats such as consent phishing.

Unlike common phishing attacks where cybercriminals check out to steal consumer credentials, consent phishing is a approach where attackers trick consumers into granting a destructive app obtain to sensitive information or other resources.

At the time an attacker has compromised a victim’s Office 365 account, they can then obtain obtain to their mail, information, contacts, notes, profiles and other sensitive details and resources saved in their organization’s SharePoint or OneDrive accounts.

In a website publish, associate group PM manager at Microsoft, Agnieszka Girling defined why software-centered attacks have grown in popularity amid cybercriminals, indicating:

“While software use has accelerated and enabled staff to be productive remotely, attackers are hunting at leveraging software-centered attacks to attain unwarranted obtain to useful information in cloud products and services. While you could be familiar with attacks centered on consumers, these types of as email phishing or credential compromise, software-centered attacks, these types of as consent phishing, is another risk vector you have to be knowledgeable of.”

In a consent phishing attack, cybercriminals trick victims into offering destructive Office 365 OAuth apps obtain to their Office 365 accounts. Destructive Office 365 OAuth apps are website applications that attackers have registered with an OAuth two. service provider these types of as Azure Lively Listing to seem more respectable.

At the time this has been accomplished, an attacker will deliver the url to consumers both by email-centered phishing, by compromising a non-destructive site or by employing other methods. If a consumer clicks on the url, they will be shown an genuine consent prompt inquiring them to grant the destructive app permissions to their information.

When a consumer accepts this ask for, the destructive app is then granted permissions to obtain their sensitive Office 365 information. The destructive app then receives an authorization token which it redeems for an obtain token that is then utilised to make API phone calls on behalf of the consumer.

To guard from consent phishing, Microsoft suggests that businesses teach their staff on the techniques utilised in these attacks such as lousy spelling and grammar as well as spoofed app names and area URLs. Marketing the use of apps that have been publisher confirmed and configuring software consent policies can also support guard from these forms of attacks.

By using BleepingComputer