Recently I dealt with a cyber security attack using MS Office365 3rd party app to grant access to senior staff’s email data. This is something new and advanced targeted attack towards company executive and company confidential information. There’s also a name for it – Illicit consent grant attack.
Microsoft doc site has a detail page talking about this Detect and Remediate Illicit Consent Grants. And you can see this page was just created in May 2020. I have to copy some content from Microsoft page to let you understand a bit more what I am talking about and combine with my real case details and my own security recommendations.
What is illicit consent grant attack?
In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organisational account. Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organisation.
What does the real attack look like?
Almost all targeted cyber attacks start from phishing email, this one is no different.
Attacker sent a phishing email with a link to Microsoft O365 3rd application. Because it’s the link to legitimate Microsoft site, email protection and web content protection will not kick in.
After victim authenticate himself and consent grant access to this malicious 3rd application, the victim just gave out all data permission.
The beauty of this attack is the attacker did not aggressively dump user data, but actually setup couple auto-forwarding rules in Microsoft Exchange Online which only triggers the email bouncing to attacker’s mail with interested keywords. This reduce the chance of getting detected.
And more attacker created different auto-forwarding rules for different victims so that in case one got detected, the other may not. It’s attacker’s backup plan!
How to detect this kind of attack?
Microsoft page has the answer – search audit log of O365 Inventory applications and their permissions
How to remediate and prevent this happens again?
Verify Inventory applications and their permissions
Revoke suspicious applications and access
Turn integrated applications off for your tenancy
User awareness promotion of email security and be careful of clicking suspicious links
Actively log monitoring and alerting
Traditional infrastructure based cyber attack is not that popular anymore as most company implemented basic network protection and more and more service hosted in Cloud environment which protected by professional Cloud Vendor Security teams. Nowadays, cyber attack is focusing on data and try every method to exploit or bypass identification and authentication controls. Authentication is like a key locker of the door. We use username password to authenticate users. Then we feel it’s not safe we added MFA. But system access and application access cannot work on interactive MFA, still need to use system account or token. This leaves the backdoor for attackers.
On the other side, Oauth is the trend to grant 3rd party application access to current application. This illicit consent in O365 incident is the typical case. For normal user, lot of Internet application is doing the same way. Such as Facebook, Gmail, etc. they all provides Oauth or similar integrated application access for 3rd parties. It should be both service provider’s responsibility to provide clear portal to list all granted access and enduser’s responsibility to carefully understand the consequence before you consent and grant access to 3rd parties.