A newer type of attack that is gaining momentum on the WFH revolution is Consent Phishing, which seeks the user’s permission as opposed to password.

With today’s widespread use of cloud applications like Webex, Zoom, and Box for increased productivity, the average person has no doubt ran across an application that asks for consent. Attackers have leveraged this familiarity to create malicious applications that request permission for access to sensitive data. Once the user has granted the application access it’s Game Over.

How it works

While each attack method varies, it usually comes down to the following steps:

1. Threat actor registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory, AWS, or Google Cloud

2. The app is configured in an inconspicuous way that makes it seem legitimate

3. The threat actor gets a link to pop up for the user which may be done through conventional email-based phishing, by compromising a non-malicious website

4. The victim clicks the link and is shown the familiar-looking consent prompt asking them to allow the application permission to sensitive data

5. Once the user clicks accept, they have granted the application permissions to access sensitive data

6. The malicious application receives an authorization code, which it then redeems for an access token, and potentially a refresh token

7. The access token is used to make API calls on behalf of the user

How to protect against this type of attack

• Advanced endpoint protection

• User awareness, if the application consent prompt contains misspelling or grammar errors, those are telltale signs that it may be malicious

• Configure your organization to only allow applications that are published and verified

• Configure policies to whitelist only certain apps for use

Author: Carlos Neto