ConsentFix v3 attacks target Azure with automated OAuth abuse
Source: Bleeping Computer
Overview
A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums as an improved technique that automates attacks against Microsoft Azure.
The first version of ConsentFix was presented by Push Security last December as a variation of ClickFix for OAuth phishing attacks, which tricks victims into completing a legitimate Microsoft login flow via the Azure CLI. Using social engineering, the attacker fooled victims into pasting a localhost URL containing an OAuth authorization code that can be used to obtain tokens and hijack the account without passwords, despite multi‑factor authentication (MFA).
ConsentFix v2 was developed by researcher John Hammond as a refined version of Push’s original, replacing manual copy/paste with drag‑and‑drop of the localhost URL, making the phishing flow smoother and more convincing.
ConsentFix v3 preserves the core idea of abusing the OAuth2 authorization code flow and targeting first‑party Microsoft apps that are pre‑trusted and pre‑consented, but adds automation and scalability.
ConsentFix v3 attack flow
According to information retrieved from hacker forums where the new technique is promoted, the attack begins by verifying the presence of Azure in the target environment by checking for valid tenant IDs. This is followed by gathering employee details such as names, roles, and email addresses to support impersonation.
Next, the attackers create multiple accounts across services such as Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream to support phishing, hosting, data gathering, and exfiltration operations.
Push Security researchers explain that Pipedream, a free‑to‑use serverless integration platform, plays a central part in automating the attack, serving three critical roles:
- It is the webhook endpoint that receives the victim’s authorization code.
- It is the automation engine that immediately exchanges that code for a refresh token via Microsoft’s API.
- It is the central collector that makes captured tokens available to the attacker in real time.
Creating the Pipedream model – Source: Push Security
In the next phase, the attacker deploys a phishing page hosted on Cloudflare Pages that mimics a legitimate Microsoft/Azure interface and initiates a real OAuth flow through Microsoft’s login endpoint. When the victim interacts with the page, they are redirected to a localhost URL containing an OAuth authorization code, which they are tricked into pasting or dragging back into the phishing page. This enables the data‑exfiltration pipeline: the page sends the captured URL to a Pipedream webhook, and the backend automation immediately exchanges the authorization code for tokens.
The phishing emails can be highly personalized, generated from harvested data, and feature malicious links embedded inside a PDF hosted on DocSend to improve credibility and bypass spam filtering.
Generating personalized phishing emails – Source: Push Security
In the post‑exploitation stage, the obtained tokens are imported into Specter Portal, allowing the attacker to interact with compromised Microsoft environments and access resources permitted by the token, such as email, files, and other services tied to the account.
Push Security noted that its testing of ConsentFix v3 relied on personal Microsoft accounts; therefore, the full impact depends on permissions, services, and tenant settings.
Mitigation
Mitigating ConsentFix risks is challenging because trust in first‑party apps is architectural. The Family of Client IDs (FOCI) research shows that Microsoft applications share permissions and refresh tokens, which can be leveraged by attackers. Administrators can still reduce exposure by:
- Applying token binding to trusted devices.
- Setting up behavioral detection rules for anomalous token usage.
- Enforcing app authentication restrictions (e.g., limiting which client IDs may access sensitive resources).
While ConsentFix attacks are used in actual campaigns, it is unclear whether the v3 variant has gained significant traction among cybercriminals yet.