Cyber incidents often rely on human engagement to enable malware. Despite deploying security controls on the user’s account, target environment, and device, additional emerging threats may occur which require both users and enterprise administrators to put safeguards in place to mitigate the impact.
The purpose of this blog is to analyze and mitigate the impact of consent phishing emails as an attack vector with more sophistication than the normal email phishing campaign and inform on strategies which will heighten data governance and application control.
What is consent phishing?
Consent phishing is a refined form of phishing which requires a developed back-end infrastructure to the operation to trick unsuspecting users into granting permissions to malicious applications owned by a threat actor (TA). A user sign-in takes place at a legitimate identity provider, rather than a fake sign-in page, to dupe users into granting permissions to malicious attacker-controlled applications.
Unfortunately, this is an increasingly common scenario, and users are traditionally told that phishing emails may lead to credential harvesting. This is where an attacker specifically looks to withdraw and compromise credentials — such as username and password combinations — by way of a custom landing page which takes the users to a fake TA-hosted website. The TA can then take information freely given by the user for their own malicious purposes.
A TA may also use coordinated email campaigns with similar characteristics, including personalized email text specific to the recipient or organization and tailored branding. These messages may also evoke a strong sense of urgency from the sender, prompting either a download or enabling malicious logic that is intentionally included or inserted in a system to perform an unauthorized function or process from the correspondence.
Like other phishing schemes, the human interaction requires for unsuspecting users to consent into a situation which kicks off a chain reaction of exploitation.
What is the risk?
In consent phishing, a TA will hijack a user’s provided access tokens to retrieve account data from an application programming interface (API) resource, without any further action by the user.
The mechanism for the token to provide authorization is OAuth 2.0, which is an industry-standard authorization mechanism. It allows the required authorization flows for users of all roles for web applications, desktop application, mobile devices, and internet of things (IoT) devices, among other things. It is important to highlight that authorization — not authentication — is delivered by OAuth 2.0, which means the authentication has already been bypassed and full compromise can begin.
Targeted users who unknowingly grant permission allow attackers to make API calls on their behalf through the attacker-controlled app. Depending on the permissions granted, the access token can also be used to legitimately access files, contacts, and other account-specific information.
Unlike the traditional phishing vectors, consent phishing attacks do not involve password harvesting, as authorization access tokens don’t require knowledge of the user’s password. However, attackers are still able to steal confidential data and other sensitive information and can then stay in the target organization and perform reconnaissance to further compromise the network.
What can be done?
The mitigation to this type of attack lies within each environment’s security controls.
For active directory or cloud-based offerings, a tenant can be configured to block users from granting consent to apps it considers risky. In this manner, administrators can create an operationally required list of applications that have been properly vetted and authorized.
Additionally, administrators can and should regularly update and refine their filtering technologies within their mail server to ensure machine learning detection is enabled, and both IP and URL filtering and validation is routinely occurring.