How to Protect Remote Workforce from Web Application-Based Attacks

The on-going pandemic has changed the way people work. Organizations around the globe have turned to cloud applications for better collaboration and productivity for their remote workforce.

Microsoft has warned that today’s malicious actors are leveraging malicious web applications in gaining access to legitimate cloud services such as Office 365. In the blog post “Protecting your remote workforce from application-based attacks like consent phishing“, Agnieszka Girling, Partner Group PM Manager at Microsoft said, “While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services.”

Consent phishing, Girling said, is an example of a web application-based attack that “can target the valuable data your organization cares about”.

Consent Phishing

Phishing, in general, refers to any form of fraud in which an attacker masquerades as a legitimate person or entity via email or other forms of communication. Consent phishing is a specific type of phishing in which an attacker tricks a user into granting a malicious web application access to a legitimate web application. In consent phishing, instead of stealing the user’s authentication details, an attacker attempts to get the permission of the user through the use of a malicious web app.

In attempting to get the permission of the user to access a legitimate application account, attackers abuse the Open Authentication (OAuth) – an open protocol that allows access delegation to another application without the need of providing any type of authentication such username, password and additional multi-factor authentication.

Users are often tricked into giving permission to a malicious web application to access a legitimate application as major tech giants such as Microsoft, Google and Amazon use OAuth. An application-based attack using consent phishing via OAuth typically follows these steps:

First, an attacker registers the malicious application with an OAuth provider such as Azure Active Directory.

Second, the malicious application is designed in such a way that it appears legitimate.

Third, an attacker delivers a link to this malicious application through traditional email-based phishing, compromising a legitimate website or other malicious methods.

Fourth, once the target victim clicks on the link, a consent prompt granting the malicious application access to a legitimate application is presented to the target user. In the consent prompt, the user can either “cancel” or “allow” access.

Fifth, once the target victim clicks on the “allow” button, the attacker receives a token. This token serves as a key to the victim’s account. The access token doesn’t need the user’s username and password, and this bypasses any multi-factor authentication.

OAuth Exploitation

Security researchers from Trend Micro reported that between 2015 and 2016 an advanced persistent threat (APT) group abused OAuth in an advanced social engineering scheme, that is, via consent phishing, in ultimately gaining access to high profile users of free webmail.

Trend Micro security researchers cited a consent phishing campaign that targeted Gmail users. The attacker sent victims emails that posed as an advisory from Gmail and provided a link for the installation of an “official” application called “Google Defender”.

Clicking on the link led to a page on accounts.google.com – a legitimate Google site as all OAuth approvals are done on the site of the service provider, in this case, Google. “Google Defender”, in reality, is a malicious application created by the APT group. Once the target clicks the “Allow” button on the page provided, an OAuth token is sent to the APT group, allowing the group semi-permanent access to the target’s Gmail mailbox.

Preventive and Mitigating Measures Against Web Application-Based Attacks

Microsoft, for its part, had taken legal action against those who defrauded victims via consent phishing. Last July 7, the U.S. District Court for the Eastern District of Virginia unsealed documents detailing Microsoft’s case against those who defrauded victims via consent phishing.

According to Microsoft, the consent phishing campaign was carried out by taking advantage of the COVID-19 pandemic. The consent phishing campaign, Microsoft said, defrauded customers in 62 countries around the world. Microsoft said that the attackers used the terms “COVID-19 Bonus” to entice targeted victims to click on links that led to the malicious web apps created by the attackers.

“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app),” Microsoft said. “Web apps are familiar-looking as they are widely used in organizations to drive productivity, create efficiencies and increase security in a distributed network. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account.”

Microsoft recommends the following measures to protect your organization from web application-based attacks, in particular, consent phishing:

. Make sure you recognize the web application name and domain URL before giving consent.

. Use only web applications that have been publisher verified. In the case of Microsoft, a publisher verified means that Microsoft has verified the identity of the app creator using a Microsoft Partner Network (MPN) account that has completed the verification processand has associated this MPN account with the application registration.

. Configure web application consent policies by allowing users to only consent to specific applications that your organization trusts.

. Audit permitted apps in your organization to make sure that these apps can only access the data that the user needs in line with the principle of least privilege – the practice of limiting access rights of a user to the bare minimum, that is, necessary to the performance of the user’s functions.

At GenX we know how hard it is to recover from phishing attacks, especially when most businesses learn about the compromise way after the fact.

We have the tools and the expertise to protect your valuable employees from cyberattacks. Take the first step today and schedule a free consultation by calling (416) 920-3000 or email us at sales@genx.ca

How to Protect Remote Workforce from Web Application-Based Attacks

The on-going pandemic has changed the way people work. Organizations around the globe have turned to cloud applications for better collaboration and productivity for their remote workforce.

Microsoft has warned that today’s malicious actors are leveraging malicious web applications in gaining access to legitimate cloud services such as Office 365. In the blog post “Protecting your remote workforce from application-based attacks like consent phishing“, Agnieszka Girling, Partner Group PM Manager at Microsoft said, “While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services.”

Consent phishing, Girling said, is an example of a web application-based attack that “can target the valuable data your organization cares about”.

Consent Phishing

Phishing, in general, refers to any form of fraud in which an attacker masquerades as a legitimate person or entity via email or other forms of communication. Consent phishing is a specific type of phishing in which an attacker tricks a user into granting a malicious web application access to a legitimate web application. In consent phishing, instead of stealing the user’s authentication details, an attacker attempts to get the permission of the user through the use of a malicious web app.

In attempting to get the permission of the user to access a legitimate application account, attackers abuse the Open Authentication (OAuth) – an open protocol that allows access delegation to another application without the need of providing any type of authentication such username, password and additional multi-factor authentication.

Users are often tricked into giving permission to a malicious web application to access a legitimate application as major tech giants such as Microsoft, Google and Amazon use OAuth. An application-based attack using consent phishing via OAuth typically follows these steps:

First, an attacker registers the malicious application with an OAuth provider such as Azure Active Directory.

Second, the malicious application is designed in such a way that it appears legitimate.

Third, an attacker delivers a link to this malicious application through traditional email-based phishing, compromising a legitimate website or other malicious methods.

Fourth, once the target victim clicks on the link, a consent prompt granting the malicious application access to a legitimate application is presented to the target user. In the consent prompt, the user can either “cancel” or “allow” access.

Fifth, once the target victim clicks on the “allow” button, the attacker receives a token. This token serves as a key to the victim’s account. The access token doesn’t need the user’s username and password, and this bypasses any multi-factor authentication.

OAuth Exploitation

Security researchers from Trend Micro reported that between 2015 and 2016 an advanced persistent threat (APT) group abused OAuth in an advanced social engineering scheme, that is, via consent phishing, in ultimately gaining access to high profile users of free webmail.

Trend Micro security researchers cited a consent phishing campaign that targeted Gmail users. The attacker sent victims emails that posed as an advisory from Gmail and provided a link for the installation of an “official” application called “Google Defender”.

Clicking on the link led to a page on accounts.google.com – a legitimate Google site as all OAuth approvals are done on the site of the service provider, in this case, Google. “Google Defender”, in reality, is a malicious application created by the APT group. Once the target clicks the “Allow” button on the page provided, an OAuth token is sent to the APT group, allowing the group semi-permanent access to the target’s Gmail mailbox.

Preventive and Mitigating Measures Against Web Application-Based Attacks

Microsoft, for its part, had taken legal action against those who defrauded victims via consent phishing. Last July 7, the U.S. District Court for the Eastern District of Virginia unsealed documents detailing Microsoft’s case against those who defrauded victims via consent phishing.

According to Microsoft, the consent phishing campaign was carried out by taking advantage of the COVID-19 pandemic. The consent phishing campaign, Microsoft said, defrauded customers in 62 countries around the world. Microsoft said that the attackers used the terms “COVID-19 Bonus” to entice targeted victims to click on links that led to the malicious web apps created by the attackers.

“Once victims clicked on the deceptive links, they were ultimately prompted to grant access permissions to a malicious web application (web app),” Microsoft said. “Web apps are familiar-looking as they are widely used in organizations to drive productivity, create efficiencies and increase security in a distributed network. Unknown to the victim, these malicious web apps were controlled by the criminals, who, with fraudulently obtained permission, could access the victim’s Microsoft Office 365 account.”

Microsoft recommends the following measures to protect your remote workforce from web application-based attacks, in particular, consent phishing:

. Make sure you recognize the web application name and domain URL before giving consent.

. Use only web applications that have been publisher verified. In the case of Microsoft, a publisher verified means that Microsoft has verified the identity of the app creator using a Microsoft Partner Network (MPN) account that has completed the verification processand has associated this MPN account with the application registration.

. Configure web application consent policies by allowing users to only consent to specific applications that your organization trusts.

. Audit permitted apps in your organization to make sure that these apps can only access the data that the user needs in line with the principle of least privilege – the practice of limiting access rights of a user to the bare minimum, that is, necessary to the performance of the user’s functions.

At GenX we know how hard it is to recover from phishing attacks, especially when most businesses learn about the compromise way after the fact.

We have the tools and the expertise to protect your valuable remote workforce from cyberattacks. Take the first step today and schedule a free consultation by calling (416) 920-3000 or email us at sales@genx.ca

Leave a Reply

Your email address will not be published. Required fields are marked *