Microsoft Warns about Consent Phishing, Increased Attacks During Pandemic

Ryan Klund
| Business Development Associate

Microsoft warned its users last week about cloud application-based attacks that have grown in frequency since the global pandemic forced organizations to work remotely in March.

In a blog post, Microsoft Partner Group PM Manager Agnieszka Girling explains that in response to a demand for employee remote capabilities, cloud services and apps have been scaled up. “While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services,” says Girling.


You might be familiar with the more traditional Email Phishing Attacks where threat actors lure victims into giving up passwords and credentials. Consent Phishing Attacks, in contrast, trick victims into providing malicious Office 365 OAuth applications access to their Office 365 accounts and sensitive data or resources.

According to Microsoft, attackers are registering malicious apps that seem legitimate with an OAuth 2.0 provider like Azure Active Directory to make them seem trustworthy. The attacker gets a link to the malicious app in front of victims through traditional phishing techniques. The victims click, accept permissions and the attacker has access to their email, files, contacts, notes, and profile.

Example from Microsoft of permissions requests made during consent phishing attacks


Girling says Microsoft is continuing to identify, disable and prevent use of malicious apps when it finds signs of them. “We’re also continuing to invest in ways to ensure our application ecosystem is secure by enabling customers to see policies on the types of apps users can consent to as well as highlighting apps that come from trusted publishers.”


  1. Make sure you recognize the app name and domain URL before downloading
    According to Microsoft, attackers use names that make the malicious apps appear to come from legitimate companies. Be sure to educate your staff on spotting phony URLs in emails. Also, keep an eye out for incorrect spelling and grammar.
  1. You are safe with Publisher Verified apps.
    When an application is marked as Publisher Verified, it means their identity has completed a verification process in the Microsoft Partner Network and apps are safe to use. A blue badge will appear on the Azure AD consent prompt.
  1. Educate on and Audit Permissions and Consent
    Microsoft says that organizations must understand the data and permissions an application is asking for and understand how permissions and consent work in Microsoft’s platform. Be sure your employee applications are accessing only the data needed and ensure administrators know how to manage and evaluate requests.

At SWICKtech we’re helping organizations put into place a multi-layered security approach that protects against and monitors for malicious activity across any business network. If you’re concerned about or want to learn more about protecting against consent phishing attacks, schedule a no-strings-attached consultation today.

Stop potential hackers in their tracks.

Related Blogs

Payroll Diversion Fraud Is Targeting Employees

Payroll Diversion Fraud Is Targeting Employees

Costly direct deposit theft scams are on the rise How does it work? Cyber criminals are after employee paychecks that ... Read More >
SWICKtech’s New Cybersecurity Agreement Makes Implementing New Cyber Insurance Requirements Easy

SWICKtech’s New Cybersecurity Agreement Makes Implementing New Cyber Insurance Requirements Easy

You may not know your business is at risk until it's too late The landscape of Information Technology (I.T.) has ... Read More >
What Is the Log4J Vulnerability?

What Is the Log4J Vulnerability?

Log4J is a free and open-source logging library widely used by companies large and small. Officially designated CVE-2021-44228, the 0-day ... Read More >