Defending Against Illicit Consent Attacks

Towards the close of 2019 a new variety of phishing attack surfaced, targeting Office 365 specifically. This attack is notable in that it does not harvest end user credentials (as is the norm) but exploits how Office 365 handles third-party add on content. As such, this type of attack is one of the rare cases where enabling Multi-Factor Authentication (MFA) is not enough to prevent the breach. With that in mind, we believe it is extremely important that users understand this new threat and how to defend against it.

What Is It?

Known as an Illicit Consent Grant, the attack starts the same as any phishing attempt—with an email. Typically, this email is be styled to appear as an internal notification from Office 365, noting a file that a user wants to share. When this link is selected, the user is directed to a legitimate Microsoft domain and prompted to log in to their account (If the user is already signed in, this step will be bypassed). After signing in, the user will be asked to authorize a third-party application to access their account.

From PhishLabs: Screenshot of a malicious access request

By authorizing the above, end-users grant the app access data and thereby compromise their accounts. When this occurs signing out of the account or triggering MFA will do little to secure the account, and the permissions granted by the app must be removed by administrators. Depending on how long it takes to identify the breach and remove the access, critical data may have already been exfiltrated from the environment.

The access provided by this method is read-only, however, so the biggest risks here would be personally identifiable information (PII), such as a social security number or banking information. Access to mail and contacts can also provide hackers with insight on who to attack next, such as the email addresses of the Accounts Payable team or the CEO.

How to Identify?

One thing to consider is context. When a potential phishing email is received, it is important to consider the email makes sense to receive. Do you know the person? Do you normally work with them? If the answer is no, then the best option may be to disregard the email. If it does come from someone you know but it does not make sense for them to share a file with you, the next best option is to speak with them in person or over the phone to get a confirmation.

If the user is prompted to grant permissions, the user must again consider if it makes sense in order to view a document hosted in Office 365. Anything requesting full access to data should be suspect! If all else fails and a user is still not sure, however, it is best to forward the request to an IT specialist that can better analyze the email. With so much at risk, end-users should not approve any request for access that they cannot be 100% certain of.

How Can I Protect Against This Type of Attack?

Like all phishing, there is no catchall solution to preventing these malicious emails from hitting your inbox. Administrators can limit the amount of end users susceptible to this type of attack, however, by disabling end-users from installing their own add-ins. Under this configuration, only only administrators are permitted to approve and whitelist add-ins for company use. While admins may be better versed in the threats to look out for, it is still highly important to offer regular guidance and training to address new trends.

Another thing to note is that this type of attack provides hackers with the same level of access permissions as the compromised user. For this reason, it is highly important to limit end user access rights to ONLY the data that is required for them to work. In the event of a breach, this approach to security can limit the exposure of sensitive data. For example, if the compromised user happened to be in the marketing department, the hacker may have access to all marketing documents. Meanwhile, if a member of the finance department was compromised, the hacker would have visibility into the invoicing process and financial documents, which is considerably worse.

If such a breach does occur, the best way to identify it is to have auditing turned on for the Office 365 tenant so there can be a clear record of the actions that took place. Furthermore, a strong security policy can identify suspicious actions and provide an alert to administrators (Such as installing any add-ins or creating a mail flow rule).

Finally, any business concerned about phishing attacks such as these should consider working with an IT partner to manage cybersecurity. Metro CSG is one such firm offering dedicated security management services to harden defenses against new and evolving threat. This includes regularly reviewing logs and updating settings according to best practices, as well as regular phishing tests determine if staff can identify threat on their own.

Learn More


Leave a comment!

All fields marked with an asterisk* are required.