top of page
Search

Story Time: How User App Consent Crippled a Business (Yes, This Really Happened)

  • Writer: Kyle Cira
    Kyle Cira
  • Aug 13
  • 2 min read

Updated: Aug 20

Cyber attacker sends Phishing email.
Cyber attacker sends Phishing email.

Based on a True Story

A user received a phishing email and—like many unsuspecting employees—clicked the link. The attacker gained access to the user’s Microsoft 365 account. But instead of just harvesting data or resetting passwords, they took a quieter, more scalable approach: they requested consent for a third-party “mail blasting” app.

The user approved the request. And that’s when things got worse.


Why It Mattered

The attacker used the consented app to send phishing emails—thousands of them—directly from the victim’s inbox. But these emails didn’t look like generic spam. They came from a real, trusted contact. To recipients, the threat felt legitimate ("Hey!, Jeff finally emailed me back!"). Some clicked. Some entered credentials. Others forwarded the message internally.

The fallout was fast and fierce:

  • Clients and partners received malicious emails.

  • Legal teams got involved.

  • Microsoft flagged the mailbox and banned all outbound email from the entire domain, paralyzing the organization’s ability to communicate.

  • Brand trust took a serious hit.

All because of one overlooked setting: user app consent.


What to Do about User App Consent

To prevent this, take three key steps—two of which are required by the latest CIS Microsoft 365 Foundations Benchmark (v5):

  1. Disable user consent for applications Set “User consent for applications” to “Do not allow user consent”. This stops users from unknowingly approving malicious or risky third-party apps.

  2. Limit outbound email thresholds In Exchange Online Protection (EOP), configure outbound spam policies to restrict how many emails a user can send per hour or per day. This helps throttle attacks if one slips through.

  3. Use admin consent workflows When users do need access to an app, let them submit a request. Admins are notified and can approve or deny access—after vetting the app’s legitimacy and scope.


Pro Tip: If you’re using separate administrative accounts (as you should be), configure the workflow so that approval requests go to your normal mailbox, not an admin account without a mailbox.


Final Thoughts

By default, user consent is enabled in Microsoft 365. This leaves your environment vulnerable to app-based phishing campaigns—one of the fastest-growing attack vectors in cloud environments today.

At Redeemer Cybersecurity Consulting, we uncover risks like this with our Microsoft 365 Security Assessment and can help you remediate them with surgical precision—ensuring minimal disruption to your business.


Don’t wait for a phishing incident to expose a hidden misconfiguration.

Hire Redeemer Cyber to perform a Microsoft 365 Security Assessment and Remediation today.

Let’s secure your M365 tenant before a BEC happens to you, too.

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page