Blocking OAuth Phishing

%3CLINGO-SUB%20id%3D%22lingo-sub-1494156%22%20slang%3D%22en-US%22%3EBlocking%20OAuth%20Phishing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494156%22%20slang%3D%22en-US%22%3E%3CP%3Ea%20recent%20RiskyBiz%20podcast%20described%20ongoing%20OAuth%20phishing%20attacks%20and%20they%20claim%20that%20the%20only%20way%20to%20prevent%20this%20is%20with%20MCAS%20and%20an%20E5%20license%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Frisky.biz%2Fnewsletter15%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frisky.biz%2Fnewsletter15%2F%3C%2FA%3E%20for%20the%20details.%20Is%20their%20explanation%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1494156%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1494336%22%20slang%3D%22en-US%22%3ERe%3A%20Blocking%20OAuth%20Phishing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494336%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20essentially%20disagree%20with%20the%20statement%20that%20having%20MCAS%20is%20the%20only%20way%20you%20can%20prevent%20this.%20I%20agree%20that%20it%20can%20certainly%20help%2C%20and%20I%20always%20say%20that%20if%20you%20can%20afford%20MCAS%2C%20then%20get%20MCAS%20as%20it%20is%20an%20awesome%20tool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20the%20links%20provided%20in%20the%20article%20including%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fdetect-and-remediate-illicit-consent-grants%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fdetect-and-remediate-illicit-consent-grants%3Fview%3Do365-worldwide%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Finvestigate-risky-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Finvestigate-risky-oauth%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fmanage-consent-requests%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fmanage-consent-requests%3C%2FA%3E%26nbsp%3Ball%20show%20techniques%20that%20can%20help%20you%20to%20identify%20and%20prevent%20such%20attacks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20in%20my%20opinion%2C%20this%20can%20be%20done%20without%20MCAS%2C%20but%20MCAS%20will%20make%20it%20a%20hell%20of%20a%20lot%20easier%20for%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1495847%22%20slang%3D%22en-US%22%3ERe%3A%20Blocking%20OAuth%20Phishing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1495847%22%20slang%3D%22en-US%22%3EThanks%2C%20given%20that%20there%20is%20almost%20always%20many%20ways%20to%20do%20something%2C%20I%20was%20concerned%20that%20the%20otherwise%20very%20reliable%20host%20of%20that%20show%20had%20made%20such%20a%20bold%20statement%20that%20an%20E5%20license%20was%20required.%20He%20was%20very%20critical%20of%20MS%20for%20this%2C%20and%20while%20criticism%20is%20frequently%20warranted%2C%20it%20seemed%20excessive%20in%20that%20show.%20When%20this%20topic%20comes%20up%20for%20my%20clients%2C%20i'll%20be%20sure%20to%20discuss%20all%20of%20the%20options%20you%20have%20shared.%3C%2FLINGO-BODY%3E
Respected Contributor

a recent RiskyBiz podcast described ongoing OAuth phishing attacks and they claim that the only way to prevent this is with MCAS and an E5 license, see https://risky.biz/newsletter15/ for the details. Is their explanation correct?

2 Replies

@Dean Gross 

 

I would essentially disagree with the statement that having MCAS is the only way you can prevent this. I agree that it can certainly help, and I always say that if you can afford MCAS, then get MCAS as it is an awesome tool.

 

However, the links provided in the article including https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-ill... and https://docs.microsoft.com/en-us/cloud-app-security/investigate-risky-oauth and https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests all show techniques that can help you to identify and prevent such attacks.

 

So in my opinion, this can be done without MCAS, but MCAS will make it a hell of a lot easier for you.

Thanks, given that there is almost always many ways to do something, I was concerned that the otherwise very reliable host of that show had made such a bold statement that an E5 license was required. He was very critical of MS for this, and while criticism is frequently warranted, it seemed excessive in that show. When this topic comes up for my clients, i'll be sure to discuss all of the options you have shared.