ConsentFix v3 — Automated OAuth Abuse Against Azure

May 3, 2026 Faeem Azure, BLOGS, MICROSOFT 0

Overview A new attack technique, ConsentFix v3, has emerged on hacker forums as an automated evolution of earlier OAuth phishing methods. Building on ClickFix and ConsentFix v2, this variant targets Microsoft Azure environments by abusing the OAuth2 authorization code flow, bypassing passwords and even multi‑factor authentication (MFA).

Evolution of ConsentFix

  • ConsentFix v1 (Push Security, Dec 2025): Victims tricked into pasting localhost URLs containing OAuth authorization codes.
  • ConsentFix v2 (John Hammond): Refined with drag‑and‑drop mechanics for smoother phishing flows.
  • ConsentFix v3: Adds automation and scalability, enabling attackers to harvest tokens at scale with minimal manual effort.

Attack Flow

  1. Reconnaissance: Verify Azure tenant IDs, gather employee details (names, roles, emails).
  2. Infrastructure Setup: Create accounts across Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream.
  3. Phishing Page: Hosted on Cloudflare Pages, mimicking Microsoft/Azure login.
  4. OAuth Abuse: Victims redirected to localhost URL with authorization code, tricked into pasting/dragging it back.
  5. Automation via Pipedream:
    • Webhook receives authorization code.
    • Automation engine exchanges code for refresh tokens.
    • Tokens collected in real time for attacker use.
  6. Delivery: Personalized phishing emails embedded in PDFs hosted on DocSend to bypass filters.
  7. Post‑Exploitation: Tokens imported into Specter Portal, granting access to emails, files, and other Microsoft resources.

Why It Matters

  • Bypasses MFA: Exploits trusted OAuth flows, undermining traditional defenses.
  • First‑Party App Trust: Targets pre‑consented Microsoft apps, making detection harder.
  • Automation: Scales attacks across multiple victims with minimal effort.
  • Personalization: Harvested employee data makes phishing highly convincing.

Defensive Guidance

  • Token Binding: Restrict tokens to trusted devices.
  • Behavioral Detection: Monitor for unusual OAuth flows and token exchanges.
  • App Restrictions: Apply authentication restrictions to limit abuse of first‑party apps.
  • User Awareness: Train employees to recognize phishing flows involving localhost URLs.
  • Audit Logs: Regularly review OAuth consent and token issuance events.

Final Thought

ConsentFix v3 highlights the fragility of OAuth trust boundaries. By automating token theft through legitimate Microsoft login flows, attackers bypass MFA and exploit architectural trust in first‑party apps. For defenders, the lesson is clear: Zero Trust must extend to OAuth flows, token lifecycles, and app permissions — not just user identities.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.