If you’ve ever been interested in cybersecurity, you’ve probably heard of consent phishing. Well, the term itself hints at its exact essence. This specific kind of cyberattack requires consent of sorts from the victim. It has recently grown across the globe sending an invisible message to countless businesses: Revise your user policies and digital asset management.
This article dives into what consent phishing is so that both organizations and individuals can better protect their data from this targeted attack.
What is Consent Phishing?
Consent phishing is an application-based attack that misleads the victim with a legitimately registered application to get access to their sensitive data. This attack type, however, differs from credential phishing, as it doesn’t redirect the user to a fake app.
While it can be implemented in various ways, the most common one is via email. So how does consent phishing happen? The attacker sends a seemingly reliable message to their target’s email. Once the target clicks on the link, an application is installed on their computer. From there, the attacker harvests information about the victim.
Consent Phishing Example
There have been many vivid cases of consent phishing attacks among prominent organizations that later turned into a warning signal for others.
One of the most famous examples is the security breach SANS Institute disclosed in 2020. As they reported, some employees received an email named “Copy of sans July Bonus 24JUL2020.xls”.
It included a “Bonus” document in the Enabler4Excel 365 format and employees felt excited to click on the “Open” button. It was enough for one employee to click the link and inadvertently install a malicious Microsoft 365 add-on. This program created a forwarding rule for 513 emails to the anonymous attacker.
How Do Consent Phishing Attacks Work?
To be trustworthy enough, consent phishing attacks seemingly come from legitimate providers. This makes it easier for attacker-controlled applications to gain access to user data. The plan is usually meticulously orchestrated to achieve success. Below, we talk about the common steps consent phishing attacks follow.
The Consent Phishing Method
Each consent phishing attack is different, but the main steps remain as follows:
- An attacker registers an app with an OAuth 2.0 provider (eg. Azure Active Directory).
- The app carries a reliable name and structure not to raise suspicion (eg. using a popular sphere-related name).
- The attacker generates a link that is later sent to users to click on, granting the malicious app permissions to data.
- Once the user accepts what the link offers, their sensitive data gets trapped.
- The access token is implemented with the authorization code sent to the app. It’s also used to make API calls on behalf of the user.
Once the user accepts the message, their data becomes accessible to the attacker. This can include email, contacts, forwarding rules, files, notes, profile, etc.
Consent phishing may come via various digital channels. However, email is one of the more reliable sources, as the attacker needs to create the illusion of a legitimate company contacting the targets. A user may also come across a consent phishing attack in an app, software program, or sign-in forms. In any case, if an app asks you to install another app, you should check if the request is in line with the program’s privacy policies and your company guidelines.
Consent Phishing Tactics
As we mentioned above, consent phishing is usually planned and follows a set sequence of steps. Starting from malicious app creation to the efforts to appear genuine, this process can be daunting.
As a type of phishing, this attack shows strong social engineering traits. First of all, the hacker relies on the urgency component. Second, they hope a “great offer” will be enticing enough for the victim to click the link. Still, a characteristic of consent phishing is the “transfer of blame” to the receiving party.
Why is Consent Phishing Efficient?
Consent phishing is efficient because it leverages a seemingly legitimate application, which the victim is eager to install. Another component making it highly effective is the implementation based on the victim’s consent.
As a highly potent attack type paired with the rise of email marketing, consent phishing is gaining increasingly more traction in the cyberworld. This attack type is on the rise, but it hasn’t reached its peak yet. We’ve already predicted the growth of consent phishing in 2022, as general phishing cases have no intention to slow down.
How to Prevent Consent Phishing Attacks
The dangers of consent phishing can threaten any organization. Therefore, every company must take relevant steps to avoid losing significant data. It’s worth investing in cybersecurity as it’s of utmost importance for a business. We’ve also highlighted some practical tactics on how to prevent consent phishing.
Educate Your Staff
Your team members must be well aware of consent phishing to protect both themselves and the company they work for. Train your staff members to double-check the links, files, emails, and other content they receive and exclude suspicious features.
Only Allow User Access to a List of Approved Apps
Enforce publisher-verified applications or create a separate list of apps you trust. If your company produces applications itself, it’s better to use proprietary products.
Ensure Admins Know the Consent Evaluation Policies
Sure, third-party apps are important for your business despite the dangers of consent phishing. Hence, your administrators must understand the permissions and consent framework to help prevent malicious apps from entering your environment. We recommend a set policy for outside applications and how to handle installation offers.
Use Email Authentication Protocols
As we mentioned, email is a primary delivery mechanism for consent phishing. While training and policies are crucial, sometimes relying on the sound judgment of your employees isn’t enough.
Like with any type of phishing, your best bet is to put enough filters in place to leave as little as you can to individuals.
It’s true, SPF, DKIM, and DMARC won’t help your infrastructure from incoming threats (we have an upcoming product that will solve that too!). However, we can and will protect your partners and clients from getting spoofed on your behalf. It’s your reputation at stake, so sign up with EasyDMARC to start your authentication journey.
As technology develops, it becomes easier to unlock anything digitalized. Therefore, the probability of cyberattacks gets bigger, and so does the need to keep your data secure.
Now that you’ve learned what consent phishing is and how to prevent it, put our best practices into action.
Have you ever encountered a consent phishing case? Get in touch with us on LinkedIn and let’s start a helpful discussion!