Microsoft adds phishing protection to Office 365

Microsoft has announced that phishing protections, including OAuth application publisher verification and application consent policies, are now generally available on Office 365.

These protections are designed to protect Office 365 users from phishing attacks (Phishing).

In this type of attack, targets are tricked into gaining access to their Office 365 accounts by granting rights to malicious applications.

Since this feature came in May, more than 700 application publishers have been verified by Microsoft, with a total of more than 1300 application registrations.

Newly available application consent policies for user consent give administrators "more control over applications and permissions that users can consent to."

"To reduce the risk of malicious applications trying to trick users into giving your organization access to your organization's data, we recommend that you only allow user consent for applications published by a verified publisher," explains Microsoft.

Once application consensus policies are in place, users will only be able to assign permissions to applications developed by verified publishers, thus preventing future phishing attacks.

Microsoft warned its customers in July that agents were threatening to use Office 365 OAuth applications in phishing attacks as part of the Business Email Compromise (BEC) fraud schemes.

The ultimate goal of attackers in such cases is to take over their victims' Microsoft accounts and make API calls on their behalf through hacker-controlled applications.

For more advice on how to defend against security threats, organizations can also read the support document.Detect and recover illegal grants in Office 365".