Against the backdrop of widespread remote working and the increased use of collaboration apps, attackers are ramping up application-based attacks that exploit OAuth 2.0, Microsoft is warning.
OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password — using signed-in status on another, trusted service or website. The most visible example might be the “Sign in with Google” or “Sign in with Facebook” that many websites use in lieu of asking visitors to create a new account. These “Sign in” or “Log in” prompts are called consent prompts.
According to Agnieszka Girling, Partner Group PM Manager at Microsoft, consent phishing, a form of application-based attack that takes advantage of OAuth, is on the rise.