Protecting your Identities from attacks like consent phishing



Hi Cloud Friends,


Today, developers build apps by integrating user and enterprise data from cloud platforms to enhance and personalize experiences. These cloud platforms are rich in data, but in turn have attracted malicious actors who attempt to gain unauthorized access to that data.


One such attack is consent phishing, in which attackers trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user's password, an attacker asks for permission for an app controlled by the attacker to access valuable data. 


These apps are often named to mimic legit apps, such as “0365 Access” or “Newsletter App”. 


Here is one way to counteract these attacks.


1. Restricting users from registering new apps to Azure AD:




2. Preventing the users for giving consents to apps:



When you make these settings you need to know that as an administrator you will have to make the apps available to the users. So this means that you as an administrator will have more work.


As an administrator for the respective app (enterprise application), you should configure the consent for the necessary permissions on behalf of the user. But really do not flip the "big switch" that all users can give consent of permissions for ALL apps.


Enormously important is also the training for the users. In many cases, such apps are not described correctly, or the spelling is wrong. Training your users regularly is another way to counter these attacks.


I hope this article was useful.


Best regards, Tom Wechsler

2 Replies


If we totally block the users consent to apps, users can't install even the quality applications. So, it better to enable the Admin consent workflow to securely approve the app consent requests.

Useful, right?

Also, we can review the existing application permissions in our O365 and remove the malicious applications immediately.

@Anu_11 exactly my thoughts. 
We enabled the option that apps of verified vendors can be consented to with uncritical permissions. For all others they have to go through the workflow process.