By Alex Triaca at Push Security
With more platforms adding support for
In this post we’ll take a look at consent phishing and how it is being used to bypass MFA and also skirt key attributes of phishing that are taught in traditional user awareness campaigns, such as links to
Imagine yourself sitting down at your desk first thing on a Monday morning, cup of coffee steaming next to your keyboard as you click through your backlog of emails. You open the below email and you see that Karl has shared a financial report
Maybe you’ve been waiting for the latest financials or you suspect this was sent erroneously but you’re curious and want to take a peak. When you click the link you are presented with a prompt that with your Monday brain looks just like the “Yes give me access” prompt you’ve clicked through a thousand times. I mean, it’s a microsoftonline.com domain, it’s https and there’s a green tick in the corner so everything
If you’d looked closely you may have noticed that this was in fact asking you to approve access rather than granting you access. But with your muscle memory in full control you click “Accept” before even glancing at the screen. You wait for the spreadsheet to open but are presented with a generic “File does not exist” error page. Oh well, apparently Karl realized his mistake and deleted the file or revoked your access. Onto the
And just like that you’ve been consent phished. You’ve just granted the attackers permanent access to your account, which they retain even if you change your password or have MFA enabled. Chances are the attacker’s tools will immediately start downloading every piece of data you just granted them access to, which they can then explore at
To spot this you need to audit the apps you’ve approved, something you are doing regularly, right? Seriously though, this isn’t something many people check. These integrations are designed to be as seamless as possible and not to get in your way. But if this has piqued your interest you can check what access you have personally granted on Google Workspace and
If you’d been paying attention when you clicked “Accept” you might have noticed that you were granting some pretty serious permissions here. These permissions allow the attackers to read and write any files you have access to – they could download all these files and then delete them. The attackers also got permission to send emails as you. They could send emails to your colleagues from you and phish them too, this isn’t impersonation where the email just “looks” like it came from you, the email DID come from you. Lastly the attackers asked for permission to manipulate your Outlook settings, with this they could set up a mail forwarding rule so that they get copies of all your emails forwarded to them directly without even having to log in. And all of this happens until you delete the underlying
In a blog post Microsoft warns that these attacks are on the rise. One notable example of this comes from the SANS Institute. They reported in August of 2020 that they had fallen victim to one of these attacks. As part of the investigation they produced a report with details on how the attackers managed to convince an employee to install a malicious
So what can you do about this threat today? The only fool proof method of preventing this kind of attack is to prevent users from granting access to
Consent phishing is still an emerging technique and we believe that it has not reached peak usage by attackers yet. We are actively researching this attack technique as it continues to evolve. Follow us on Twitter @datumconsulting, LinkedIn or subscribe to our mailing list to get the latest updates and tips for managing this for