Push Security recently published an article on July 6, 2021 [read here] discussing a novel way for a malicious actor to bypass Multi Factor Authentication (MFA) and Passwordless sign-on for Microsoft 365 users.

Consent phishing is an emerging technique attackers are using to compromise user accounts, even if they have Multi-factor Authentication (MFA or 2FA) enabled. Consent phishing is particularly effective because it doesn’t exhibit many of the indicators that traditionally expose phishing attacks…

In blog post Microsoft warns that these attacks are on the rise. One notable example of this comes from the SANS Institute. They reported in August of 2020 that they had fallen victim to one of these attacks. As part of the investigation they produced a report with details on how the attackers managed to convince an employee to install a malicious Microsoft 365 add-in to gain access.

…The only fool proof method of preventing this kind of attack is to prevent users from granting access to third party apps. This is terrible for users though, and you’ll be missing out on all the productivity benefits these apps can bring.

Alex Triaca



How are we responding?

We have not seen attacks that utilize this technique against our customers so far. However, we always prefer to take a cautious approach to security and will be pre-emptively mitigating against this particular vector by changing the “3rd party apps and publishers” setting in our managed Microsoft 365 tenants to “require admin consent”. This will be integrated into our Standards and Operations Policy going forward for all clients. For our end clients, this means there may be a short delay when adding 3rd party apps to your Microsoft 365 account while we review and whitelist them. Once they’ve been approved they will be available for everyone in your organization to add.