What is Consent Phishing? Identifying Third Party App Permission Attacks
Consent phishing is a specialized type of phishing targeting user permissions for third-party applications. Third-party apps frequently ask permission to access certain features to run properly. But attackers can use fraudulent app permission requests to gain access to a person's account.
In consent phishing, attackers create a phishing scheme – emailing a user with a link to a required password update, for example. If the user clicks the link, they’re redirected to a Microsoft 365 permission request. It may include this language:
“This app would like to
Read your contacts
Read and write access to your mail
Send mail as you
Sign you in and read your profile”
If the user consents to the permission request, the third-party app (controlled by the attacker) will have high-level access to their account. The attacker can then use the account without actually having credential access.
By registering apps with authentic authorization protocols and using social engineering, attackers can access accounts without needing login credentials or multi-factor authentication (MFA) codes.
Keep reading to learn more about how consent phishing works, and what you can do to stop it from infiltrating your organization.
How Do Consent Phishing Attacks Work?
There are two components for a successful consent phishing attack: The OAuth 2.0 authorization protocol and social engineering. Let's dive into how each one works during a consent phishing attack.
OAuth 2.0 providers are used to allow applications to access a user's resources without needing passwords. It's a widely accepted industry standard that is ubiquitous across the internet.
If a user wants to use a new application, they may be presented with an option to sign up using their Facebook account or Google account. If they choose this option, Facebook or Google will send an authorization code which will share the information needed to create an account.
Attackers exploit this permission step. They can register a malicious app with an OAuth 2.0 provider to trick users into thinking it's a legitimate and trusted source. After all, an average person may see the permission request frequently while browsing. It won’t automatically look unusual or suspicious.
Social engineering is also a crucial part of a consent phishing attack. Not only do they use phishing techniques to convince a recipient to trust an email, but they also play on the user's desire to click on links. Consent to grant permissions is commonplace on the Internet, and people may accept it without thinking twice about it.
Here is what a consent phishing attempt usually looks like:
The attacker registers a malicious app with an OAuth 2.0 provider.
The attacker sends a phishing email to a targeted user asking to grant permission to the malicious app.
The user clicks on the OAuth 2.0 URL which generates an authentic permission request.
The user grants access to a malicious app, and an authorization code is sent to the attacker.
The authorization code is redeemed for access tokens which an attacker uses to gain access to user data.
While this is the general process of a consent phishing attack, what does it look like in real life? Consider this scenario:
An employee receives an email that appears to be from a trusted colleague or company saying a file has been shared with them.
The employee clicks on the link and is prompted to grant certain permissions to view the document. Since this is a prompt many people are familiar with, they may grant permission without investigating the source or the requested permissions.
The employee receives an error message and may continue their work without raising any red flags.
Meanwhile, an attacker has gained full access to an account without needing login credentials or MFA codes. Depending on what the granted permissions are, an attacker may have the ability to read emails, alter mailbox settings, or even send emails as the user. At this point, they can launch a third-party app attack.
Identifying and Preventing Consent Phishing
Here’s an example of a consent phishing attack identified by Abnormal Security:
On the surface, it’s quite simple: IT sends a password expiration reminder alongside a link to reset the password. At first glance, the sender looks legit. In reality, the email is likely from a compromised domain, so it passes sender authentication methods. The link will redirect the user to a Microsoft permission request for a third-party application.
Specifically, the app is requesting read/write access, which would allow the attacker to use this account to send and receive emails, without actually having the proper credentials.
Abnormal is able to identify this attack for a few reasons:
The sender name resembles an actual administrator account, but the email address is new.
The link contains the target’s email address in the URL, allowing attackers to track it.
Due to these factors, Abnormal flags the email as a credential phishing attack and automatically remediates it before the user can access it.
Why are Consent Phishing Attacks Growing in Popularity?
Consent phishing attacks are increasing for multiple reasons:
Security teams often cannot effectively monitor third-party app integrations and permission changes. Attackers can access mailboxes and steal credentials without raising suspicion.
Authentic permission requests are common, so users are less likely to think it’s potentially malicious.
Traditional security approaches like sandboxing, browser isolation, threat intelligence, and sender reputation cannot identify a suspicious permission request.
How to Prevent Consent Phishing
Protecting your organization from consent phishing is not easy, but it is possible to deploy several security measures to prevent a successful attack. Here are some tips on how to prevent consent phishing from succeeding:
Use AI-based email security to spot suspicious behavior that can indicate consent phishing.
Enact security posture management to monitor permission and configuration changes across your cloud environment.
Configure application consent policies for employees to only allow consent to specific applications you trust and for low-risk permissions.
Ensure administrators know how to manage and evaluate consent requests.
Occasionally audit apps and consented permissions to ensure they are only accessing the data they need and follow the principles of least privilege.
Create proactive application governance policies to monitor and report suspicious third-party app behavior.
Conduct security awareness training and ensure employees know the signs of a possible phishing attempt.
Promote the use of publisher-verified applications.
To learn more about how Abnormal Security can stop modern email security threats like consent phishing, request a demo.