New Remote Attack on Workforce Asks For Consent
A newer type of attack that is gaining momentum on the WFH revolution is Consent Phishing, which seeks the user’s permission as opposed to password.
With today’s widespread use of cloud applications like Webex, Zoom, and Box for increased productivity, the average person has no doubt ran across an application that asks for consent. Attackers have leveraged this familiarity to create malicious applications that request permission for access to sensitive data. Once the user has granted the application access it’s Game Over.
How it works
While each attack method varies, it usually comes down to the following steps:
Threat actor registers a malicious app with an OAuth 2.0 provider, such as Azure Active Directory, AWS, or Google Cloud
The app is configured in an inconspicuous way that makes it seem legitimate
The threat actor gets a link to pop up for the user which may be done through conventional email-based phishing, by compromising a non-malicious website
The victim clicks the link and is shown the familiar-looking consent prompt asking them to allow the application permission to sensitive data
Once the user clicks accept, they have granted the application permissions to access sensitive data
The malicious application receives an authorization code, which it then redeems for an access token, and potentially a refresh token
The access token is used to make API calls on behalf of the user
How to protect against this type of attack
Advanced endpoint protection
User awareness, if the application consent prompt contains misspelling or grammar errors, those are telltale signs that it may be malicious
Configure your organization to only allow applications that are published and verified
Configure policies to whitelist only certain apps for use
Author: Carlos Neto