Consent phishing- What all you need to know

There used to be a time when giving your credentials was a basic necessity for hacking into someone else’s system. But nowadays giving your personal information is not very important for being hacked. How? The answer is really simple, Consent phishing. What is Consent phishing? How does it work? What should you know about it? Let me just mention all this here.

What is Consent Phishing?

Consent phishing is a type of application based threat that you should keep an eye on. It is the same like phishing and it is something you may not know about fully but one thing you need to know is that it is an actually dangerous threat! Consent phishing basically works by tricking users into granting access to a malicious app to get the personal information of the user. The hacker/attacker will seek permission for an attacker-controlled application for accessing the valuable data instead of stealing the user’s passwords.

Even Microsoft has warned about Consent phishing. In such type of attacks, the user sees a pop-up from an app asking for extensive permissions. Then the consent screen shows all the permissions that the app will receive and people accept all the terms and conditions thinking that the app is trustworthy. As soon as the user accepts the conditions, the attackers will get access to their mails, forwarding rules, files, profile, notes, contacts, and other sensitive pieces of information.


This is how Microsoft explained what happens in Consent phishing:

  1. The attacker registers an application with an OAuth 2.0 provider like Azure
  2. In order to make the app look more trustworthy attackers tend to use names of popular products that are used in the same ecosystem.
  3. By using techniques like email phishing, or compromising some non-malicious websites, the attackers get a link in front of the user.
  4. After the user clicks that link and authentic consent is shown asking malicious apps permission to data.
  5. When a user accepts the conditions, it grants the app permission to access the personal data.
  6. Then the app gets an authorization code that acts as an access token and even as a refresh token too.
  7. This access token will now be used to make API calls on behalf of the user.

Dealing with Consent Phishing

Consent phishing is dangerous, for sure. But you can’t say there isn’t a way to protect yourself from it. Here are some steps that can help you to deal with this consent phishing.

  • Educating people about how permissions and consent framework works:
  1. People should educate their employees how permissions and consent work within their platform. They should understand the permissions and data an app is asking for.
  2. Ensuring that administrators know how to manage and evaluate consent requests.
  3. In order to ensure that apps being used access only the data which is required and sticks to the principle of least privilege there should be consented permissions and audit apps.
  • Educating your organization about consent phishing techniques:
  1. One of the most common features of any bogus website would be wrong spelling and grammar. So you should always do a spell and grammar check before downloading anything from it. If you want it suspicious the check the grammar and spellings thoroughly.
  2. Another trick played by the attackers is the use of fake app names domain names and URLs. They use app names that make them look like from any genuine app or company. Because of this, they can trick you into giving consent to a malicious app. So you must always check the app name, domain name and URLs before giving consent.
  3. Employees should always read their emails thoroughly and almost every phishing mail comes with a link. But don’t always trust what you see. The link may say “Go To Office 365 account” but as soon as the user clicks the link it takes you to some bogus page that may look very familiar to the original Microsoft page. Before clicking on the link the user must see the pop-up that displays the link’s real location. If the link and pop-up address doesn’t match it means that is a phishing link./mail.
  • Promoting and allowing access to the apps you trust:
  1. Allow users to only consent to the specific applications you trust so that you can configure app consent policies. It is possible when the apps you are using are made developed by your organization or from some verified publisher.
  2. Use of publisher verified applications should be promoted. By using publisher verified applications it is easier for admins and end-users to understand the authenticity of app developers.

In this ever-changing world of technology even the attackers are coming up with some advanced and subtle techniques. To protect your system or PC you have to with PC Cleaner or PC Security tools. And by these techniques, you can prevent yourself from being tricked into this phishing trap.