Consent phishing protection is added to Office 365
Microsoft’s Office 365 are now generally available with consent phishing protections including OAuth app publisher verification and app consent policies, said Microsoft in yesterday released post.
This protection will defend the office 365 users from an-application based attack, called consent phishing, where targets are tricked into providing their office 365 accounts by granting permission to malicious office 365 oAuth apps.
The company said, it’s rolling out three updates for this, these include -General availability of publisher verification, User consent updates for unverified publishers and General availability of app consent policies.
Developers use Publisher verification to “add a verified identity to their app registrations and demonstrate to customers that the app comes from an authentic source.”
This feature was already entered in public preview in May, this year. At now, more than 700 app publishers have been verified by Microsoft and total of 1300 apps have been registered. App that the verified publishers developed feature a blue verified badge on all Azure AD consent prompts.
Administrators will now have “more controls over the apps and permissions to which users can consent” with the generally available app consent policies for end-user consent.
“To reduce the risk of malicious applications attempting to trick users into granting them access to your organization’s data, we recommend that you allow user consent only for applications that have been published by a verified publisher,” Microsoft explains.
Once app consent policies are configured, users will only be able to grant permission to those apps whose developers are verified publishers. The admins can also set up custom app consent polices when they need more granular control. Here are the required steps for doing this:
- Sign into the Azure portal as Global Administrator
- Select Azure Active Directory > Enterprise applications > Consent and permissions > User consent settings.
- Here, you can set the content you like to configure for all users
- Once selecting is made, click on save button to make changes to take place
All office users will be protected as the Publisher verification is generally available as they “will no longer be able to consent to new multi-tenant apps registered after November 8th, 2020 coming from unverified publishers.”