Consent (OAuth) phishing…from attack to detect to prevent with Microsoft Defender for Cloud Apps
Consent (OAuth) phishing is another method (next to the well known credential phishing) that is getting more popular among bad actors. With consent phishing the end user gives consent to access an app (by the bad actor).
App consent bypasses Conditional Access (e.g. Multi Factor Authentication)
User app consent is enabled by default for all Office 365 tenants.
The attack
The attack starts by creating an Azure app registration in Azure AD, let’s call our app OAuth example.
This will create the app (we need the application ID at a later stage). In the Authentication settings of the app, we need to set ‘Allow public client flows’ to Yes.
We use Postman (API test and dev platform) to create the OAuth (device code) phishing e-mail information.
Finally draft an e-mail with the verification_uri and the user_code (e.g. the company updated the mobile device policy etc.) and send it to the victim user.
The victim user that opens the e-mail and and enters the code gets the following app consent screen
After the user accepts (consent), the attacker can continue the attack (see below) and use the access Token to access the mailbox and read e-mail(s) from the mailbox via the Microsoft Graph API (as an example).
Microsoft Defender for Cloud Apps (MDCA)
Microsoft Defender for Cloud Apps (previous Microsoft Cloud App Security) can detect OAuth attacks via Threat detection policies.
Microsoft Defender for Cloud Apps also provides an overview of OAuth apps and their permission level (it’s not about the apps authorized by many users that can be malicious but often the apps authorized by a single or a few users).
An option in Microsoft Defender for Cloud Apps is to block the app (Mark app as banned).
Azure AD
Prevention is better than the cure is also relevant in this type of attack. Like mentioned before user app consent is enabled by default. Change the user consent (Azure AD -> Enterprise Application -> User settings) to admin app consent (by disabling user consent) and configure the admin app consent workflow
Any OAuth consent app needs approval from an admin (configured user in the Admin consent settings).
I hope this blog gives some insights in consent phishing attacks and how to mitigate (detect and/or prevent) to these type of attacks.
