In a consent phishing attack, malicious actors will attempt to trick an employee into allowing a malicious cloud-based application to run on the company’s network. This attack strategy takes advantage of how common cloud-based tools have become and utilizes many traditional phishing tricks to get users to accept the permissions the attack needs to function. Once given access to the company’s network, this cloud application can perform a wide variety of malicious functions, such as stealing data or deploying further attacks. Today, we want to focus on what consent phishing is and how small and medium businesses can best protect themselves from this new kind of phishing attack.
What is Consent Phishing?
Consent phishing campaigns take advantage of legitimate sources, like Microsoft’s identity platform, that allow bad actors to host malicious applications within trusted sources. This perception of legitimacy helps these attacks go unnoticed until it is too late because the permissions request form is the same one used for legitimate applications. Hackers will specifically target employees within a company that have the privileges necessary to accept the needed permissions and attempt to trick them into downloading the malicious application and granting it a wide range of permissions, such as viewing profiles, access to sensitive data, and the ability to read groups.
What Makes Consent Phishing More Dangerous?
Consent phishing campaigns are dangerous because they take advantage of the legitimacy granted by being able to utilize trusted resources, such as OAuth apps. This means that if an employee gives the malicious cloud application permission to run on the network, they may believe it to be a legitimate application and fail to report it to either the IT team or the business’ IT consultant. These attacks can use OAuth apps from a wide variety of trusted platforms, such as Microsoft and Google, because the requirements to register with these services are often not very strict. Additionally, once permissions have been granted, users are generally redirected to a common error message that gives no hint of the attack.
Mitigation Strategies
Large platforms like Microsoft are already working to identify the cloud-based apps used in consent phishing campaigns and remove them from service along with offering solutions, such as notifications that activate when users accept new permissions for apps, to begin helping companies mitigate this threat. To help protect your small or medium-sized business, employees should be made aware of this threat in their cybersecurity training, and you should ensure your phishing training is up to date and completed by every user. Additionally, small businesses should work with their IT team or IT consultant to only allow users to download applications that have been vetted and approved for company use.
Summary
Malicious actors are always on the lookout for ways to improve their phishing campaigns, and consent phishing is a new way for hackers to take advantage of employees that have not been properly trained to identify and flag suspicious activity. Small businesses must take cybersecurity training seriously, no matter how few employees they have, because a company culture that values cybersecurity can go a long way in preventing attacks like consent phishing. Our security experts here at Robinett Consulting recommend using a reliable training platform to monitor and collect data on your cybersecurity training, and we’re offering a complimentary consultation to see if we can help improve your cybersecurity training today!