Instead, validate the source of the domain URL and use applications from verified publishers when possible. Attackers like to spoof application names and domains that make it appear to come from a legitimate service or company to drive consent to a malicious application. Don't rely on application names and domain URLs as a source of authenticity.In that case, report it directly on the consent prompt with the Report it here link and Microsoft will investigate if it's a malicious application and disable it, if confirmed. If an email message or the consent screen of the application has spelling and grammatical errors, it's likely a suspicious application. Know how to spot and block common consent phishing tactics:.Routinely audit applications and consented permissions in the organization to make sure that applications are accessing only the data they need and are adhering to the principles of least privilege.Make sure that administrators know how to manage and evaluate consent requests.Understand the data and the permissions an application is asking for and understand how permissions and consent works within the platform.Educate your organization on how our permissions and consent framework works:.While attackers never rest, there are steps organizations can take to improve the security posture. Implement best practices for hardening against consent phishing, described below.īest practices for hardening against consent phishing attacksĪdministrators should be in control of application use by providing the right insights and capabilities to control how applications are allowed and used within organizations.The guidance includes auditing permissions and consent for disabled and suspicious applications found during review. Review and use the guidance for defending against illicit consent grants.The Azure AD audit logs for activity by the application and sign-in activity for users authorized to use the application.The delegated permissions or application permissions requested by the application.Investigate the application activity for the disabled application, including:.If the organization has been impacted by an application disabled by Microsoft, the following immediate steps should be taken to keep the environment secure: The email specifies the action taken and recommended steps they can do to investigate and improve their security posture. An email is sent to a global administrator when a user in an organization consented to an application before it was disabled.The disabled state is surfaced through an exposed property called disabledByMicrosoftStatus on the related application and service principal resource types in Microsoft Graph.Any new token requests or requests for refresh tokens are denied, but existing access tokens are still valid until their expiration. The malicious application and related service principals are placed into a fully disabled state.When Azure AD disables an OAuth application, the following actions occur: If a violation is confirmed, Azure AD disables the application and prevents further use across all Microsoft services. A flagged application is reviewed by Microsoft to determine whether it violates the terms of service. The following image shows an example of an OAuth app that is requesting access to a wide variety of permissions.Īdministrators, users, or Microsoft security researchers may flag OAuth applications that appear to behave suspiciously. Because the application is hosted by a legitimate provider (such as the Microsoft identity platform), unsuspecting users accept the terms, which grant a malicious application the requested permissions to the data. The consent screen displays all permissions the application receives. Unlike credential compromise, threat actors who perform consent phishing target users who can grant access to their personal or organizational data directly. These malicious applications can then gain access to legitimate cloud services and data of users. What is consent phishing?Ĭonsent phishing attacks trick users into granting permissions to malicious cloud applications. This article explores what consent phishing is, what Microsoft does to protect an organization, and what steps organizations can take to stay safe. Consent phishing is another threat vector to be aware of. You may be familiar with attacks focused on users, such as email phishing or credential compromise. While cloud applications enable employees to be productive remotely, attackers can also use application-based attacks to gain access to valuable organization data. Productivity is no longer confined to private networks, and work has shifted dramatically toward cloud services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |