Following a wave of Office 365 attacks, compromising passwords, most organisations have now accepted that multifactor authentication is essential and have it in place.

As a result, they may feel much safer, but as ever the criminals are one step ahead. A new form of very dangerous Office 365 attack, known as ‘Illicit Consent’ has emerged.  And, if you don’t take action, your business will be wide open to it.

The Office 365 attack: ‘Illicit Consent’

Like most modern, large-scale online applications, Microsoft 365 can connect you to a massive ecosystem of other apps so you are able to integrate them, exchange data and generally work more efficiently.  This is a big part of the attraction of cloud applications but it is also what the criminals are now exploiting.

Criminal gangs are now writing malicious apps which can connect to Microsoft 365. They do this by tricking people using the systems into letting them connect. Once in, they can gain access to your contact information, email and documents and be able to read or possibly modify or delete it. It’s a real worry especially if, as most businesses do, you hold personal information subject to the GDPR.

How does an attack work?

Usually this will start much like a traditional phishing attack. The end-user will receive an email styled like a Microsoft sharing notification or some other email that appears legitimate. Once the linked is clicked, you will receive a request to authorise a third- party application on your account.

This will be a legitimate Microsoft request like the picture here -and one people are used to seeing, so will likely click it.  Unfortunately, while legitimate, it is authorising a criminal app.

How do you stop it?

Unfortunately changing passwords or multifactor authentication will do nothing to stop this attack. To remove access once such an attack has occurred you need a qualified Microsoft 365 trained professional to do this via the administration functions of your Microsoft 365 portal.

How do I prevent it?

It is possible to set up Microsoft’s 365 system so that ‘admin consent grants’, to give access to external applications, have to be approved centrally via an administrator with sufficient knowledge and time to confirm the request is genuine.

As cyber security specialists, we do this by default for all our clients to give them peace of mind. If you would like to know more, please contact us.