The rapid growth in remote work in the wake of the COVID-19 pandemic has led to a massive increase in the use of Microsoft Office 365 as both a platform for collaboration and as a repository for sensitive and confidential information.

As a result, we are seeing more apps being used with Microsoft’s identity platform to increase collaboration and productivity. This includes apps like SharePoint, OneDrive, Microsoft Teams, Power BI and more.

For the most part, individual productivity has increased in this new era of remote working – no arguments there. However, this increase in productivity may come at a price. Hackers are constantly looking to take advantage of unprecedented app usage by wet-behind-the-ears remote employees working on networks devoid of company firewalls and other safety measures.

While email phishing and credential compromise are popular and efficient attacks, hackers have stepped up their game by using application-based attacks like consent phishing. These attacks depend on the OAuth 2.0 protocol wherein sensitive data is accessed not by stealing your password but by tricking you into giving malicious apps the necessary permission to access your Office 365 data.

Here’s how consent phishing works:

  • First, a malicious link is sent through conventional, email-based phishing or a non-malicious website.
  • Once the user clicks the link, an authentic consent prompt appears asking for permission.
  • If the user clicks ‘Accept’, malicious apps will gain permission to access emails, forwarding rules, files, contacts, notes, profiles and other sensitive data.

Image courtesy of Microsoft.

Protect Your Office 365 Data

When using apps with your Office 365, always opt for apps from an Azure Verified Publisher.

What does it mean when an application publisher is Azure Verified?

It’s a simple, blue verification badge that appears on the application consent prompt. The blue tick signifies that Microsoft has vetted the application publisher and verified that they are a Microsoft partner and legitimate business entity.

It empowers admins to protect users from consent phishing attacks by limiting their access to non-verified apps. Microsoft even provides steps your business can follow to ensure all apps in your Office 365 tenant come from Azure Verified Publishers.

Image courtesy of Microsoft.

Back Up Your Office 365 Data with an Azure Verified Publisher

Although many Office 365 backup solutions in the market claim to back up data safely, most don’t feature the blue tick. It’s this dangerous irony that puts your data and your business at risk. The truth is, keeping a copy of your entire Office 365 data on a cloud backup that is NOT Azure verified is an open invitation for consent phishing and other such attacks.