Introduction to ConsentFix v3
A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums as an improved technique that automates attacks against Microsoft Azure. The first version of ConsentFix was presented by Push Security last December as a variation of ClickFix for OAuth phishing attacks.
Background on ConsentFix
ConsentFix tricks victims into completing a legitimate Microsoft login flow via the Azure CLI using social engineering. The attacker fools victims into pasting a localhost URL containing an OAuth authorization code that can be used to obtain tokens and hijack the account without passwords, despite multi-factor authentication (MFA).
ConsentFix v2 was developed by researcher John Hammond as a refined version of Push’s original, replacing manual copy/paste with drag-and-drop of the localhost URL, making the phishing flow smoother and more convincing.
ConsentFix v3 Attack Flow
ConsentFix v3 preserves the core idea of abusing the OAuth2 authorization code flow and targeting first-party Microsoft apps that are pre-trusted and pre-consented. However, it brings an improvement by incorporating automation and scalability.
The attack begins by verifying the presence of Azure in the target environment by checking for valid tenant IDs. This is followed by gathering employee details such as names, roles, and email addresses to support impersonation.
Next, the attackers create multiple accounts across services such as Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream to support phishing, hosting, data gathering, and exfiltration operations.
Pipedream's Role in ConsentFix v3
Pipedream, a free-to-use serverless integration platform, plays a central part in automating the attack, serving three critical roles: it is the webhook endpoint that receives the victim's authorization code, it is the automation engine that immediately exchanges that code for a refresh token via Microsoft's API, and it is the central collector that makes captured tokens available in real time.
In the next phase, the attacker deploys a phishing page hosted on Cloudflare Pages that mimics a legitimate Microsoft/Azure interface and initiates a real OAuth flow through Microsoft’s login endpoint.
When the victim interacts with the page, they are redirected to a localhost URL containing an OAuth authorization code, which they are tricked into pasting or dragging back into the phishing page. This enables the data exfiltration pipeline, in which the page sends the captured URL to a Pipedream webhook, and the backend automation immediately exchanges the authorization code for tokens.
Post-Exploitation Stage
In the post-exploitation stage, the obtained tokens are imported into Specter Portal, allowing the attacker to interact with compromised Microsoft environments and access resources permitted by the token, such as email, files, and other services tied to the account.
Push Security noted that its testing of ConsentFix v3 relied on its personal Microsoft accounts; as a result, it is difficult to fully appreciate the impact, which depends on permissions, services, and tenant settings, among other factors.
Mitigating ConsentFix Risks
In terms of mitigating ConsentFix risks, Push notes that the endeavor is complicated because trust in first-party apps is architectural, and that Family of Client IDs (FOCI), Microsoft applications that share permissions and refresh tokens, is useful otherwise.
However, there are still steps administrators can take, such as applying token binding to trusted devices, setting up behavioral detection rules, and applying app authentication restrictions.
While ConsentFix attacks are used in actual campaigns, it is unclear if the v3 variant has gained any traction among cybercriminals yet.
Source: BleepingComputer