All News

<< Next Post - Previous Post >>


There is a growing type of phishing attack which has been quite successful since the beginning of 2020, it is called a "Consent Phishing"

Traditional email phishing attacks will try to get the victim's credentials through a dangerous URL with a fake login webpage, a malware attachment or some other clever social engineering tactics.
Hopefully companies have some anti-phishing tools/technology to detect and protect them against most of those type of emails (some always manage to get through, no matter what technology you use and what vendors promise you!)

However, there is a new type of phishing attacks that leverages the OAuth authorisation framework used by some applications to access your account. Basically, there are a lot of legitimate applications that will request access to your O365 account (it could also be another type of Cloud app provider) through the generation of an OAuth token, so they don't need to know (and store) your O365 password.
This is great, however:

  • The access token given to an application for an O365 account, never expires! not until it is manually revoked
  • With such access tokens, MFA does not apply to the application to get access to the O365 account
  • By default all users can *self* accept a request from an application to get access to their O365 account

  • This is why, hackers are increasingly using phishing with a link which requests app access.
    It is just a link with no payload/malware, it triggers a genuine request from Microsoft for the user to accept, they do not need to be redirected to a site and thus traditional anti-phishing and anti-virus technologies do not see this as malicious.

    Even the best got phished recently (end of July 2020) by this technic: SANS, a well known Cyber Security Training company, had one of its user who received such phishing email, click on the link and accepted the access request.

    As a result the hacker got access to the user mailbox, created a forwarding rule and forwarded hundreds of SANS customers' personal data to a hacker email address.
    Luckily there was no financial data, however, those poor users/victims got their email, name, address and phone details now added to spam/hackers databases and will see a very sharp increase in spam as well as phishing emails in the coming weeks and months to come.
    SANS has done a great job at providing information about the hack HERE

    Hackers are focusing those type of attacks against O365 users currently, so below are some steps you can take to protect your organisation/account against these type of attacks.
    1. Raise users' awareness against this type of attack:

    2. How: Inform your users to never enter their passwords from a link received in an email, and also never accept/consent to requests for access when clicking a link from an email. In general, users should be very wary of any links received by email, especially unsolicited emails. Microsoft has some ready made training material available, and many other online website provide such content for free (or for a fee)
      Impact: To ensure your users think twice before clicking on anything.
      Reasoning: User awareness is the number one cyber security defence against most type of cyber attacks. The "Think before you click" moto is key to any user security awareness campaign.
      More info: Free Microsoft training resources

    3. Review app consent given:

    4. How: On your AZURE admin portal go to All Service -> search for App Registrations -> All Application
      Impact: You can review the different apps that have been authorised and revoke their access.
      Reasoning: If you are not expecting an app to have access to any of your O365 accounts you can remove their access. Note that you may see a "default" built-in app called "Report Message" which is an add-in for Office to allow users to report suspicious emails to Microsoft.
      More info: Microsoft Article

    5. Audit logs for app consent:

    6. How: On your O365 admin portal go to Security & Compliance Center ( -> Search -> Audit log search -> Search for all activities and all users -> Filter results for "Consent to Application" in the Activity field (It takes between 30 minutes to 24h for the logs to be updated)
      Impact: You can review the different apps that have been authorised and revoke their access.
      Reasoning: If you suspect you have been hacked, this is a way to look back at when and who provided some access to their account through app consent
      More info: Microsoft Article

    7. Users to self review their app consent:

    8. How: You can ask your users to look at the apps that currently have access to their account by going to the following URL:
      Impact: Users can remove access to unknown or suspicious app, however they need to be somewhat technical enough to understand what app should have access to their account.
      Reasoning: This is a quick and easy way to list all app having access to a given account. This is a step you may want to do when doing an investigation of a suspected incident on behalf of the user.
      More info: Microsoft Article

    9. List all app consent through Powershell:

    10. How: As an O365 admin you can run a Powershell script called Get-AzureADPSPermissions.ps1, which is available on github there: github link
      Impact: This will create a csv file with all the app consent (OAuth) in your tenancy
      Reasoning: You get all the information required for auditing illicit access into one file through one simple command
      More info: Microsoft Article

    11. Disable the ability for your user to authorise/consent app access:

    12. How: On your O365 admin portal you can change that setting in Settings -> Org Settings -> User consent to apps
      Impact: Users will need to ask an admin to enable an app access.
      Reasoning: If your users only use emails and have no need for "custom" apps to access their O365 account, then they have no need to ever consent to an app access request.
      More info: Microsoft Article

    13. Configure an admin consent workflow:

    14. How: On your Azure admin portal go to Azure Active Directory -> User Settings -> Admin consent requests
      Impact: When users get an app access request, they will be able to request approval to the admin authorised to approve such type of requests.
      Reasoning: This allows your users to request app access approval through a semi automated workflow and your admin to receive approval request automatically.
      More info: Microsoft Article
    To go beyond, there is a great guide available from Microsoft which explains the steps of a security roadmap to implement the top priority security controls for an O365 environment for the first 30 days, 90 days, and beyond here: Microsoft O365 priorities

    << Next Post - Previous Post >>