Microsoft says it is tracking a new consent phishing campaign that uses OAuth request links to trick users into granting consent to an app that gives malicious actors access to email accounts.
In a series of tweets, Microsoft Security Intelligence says phishing messages misled users into granting permissions to an app called “Upgrade” that gave attackers the ability to create inbox rules, read and write emails and calendar items, and read contacts.
The company says it has deactivated the app in Azure AD and has notified affected customers. Microsoft says the campaign is targeting “hundreds” of organizations.
Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior. pic.twitter.com/YMUHvEMYYD
— Microsoft Security Intelligence (@MsftSecIntel) January 21, 2022
According to the company, Microsoft Defender for Cloud Apps, Azure AD, and Defender for Office 365 can help protect against similar attacks by blocking the OAuth consent links or flagging unusual behavior of users or cloud apps.
These kind of attacks are on the rise, Microsoft says. In a July 2021 blog, the Microsoft 365 Defender Threat Intelligence Team called attention to the increase in consent phishing emails, also called illicit consent grants, that abuse OAuth links in an attempt to trick users into granting attacker-owned apps permissions to access company data.
“Consent phishing attacks are a specialized form of phishing, so they require a comprehensive, multi-layer defense,” Microsoft said in the blog. “It’s important for system administrators to gain visibility and control over apps and the permissions these apps have in their environment.”
In the same blog, Microsoft called attention to capabilities in Azure Active Directory and Microsoft Defender that that enable administrators to manage when end users can consent o apps and give organizations visibility to enable them to identify when an app is behaving suspiciously.