ConsentFix v3: new automated threat for Microsoft Azure accounts

ConsentFix v3: the new automated threat to Microsoft Azure accounts

A new attack variant, named ConsentFix v3, is circulating in hacker forums as an improved technique to automate attacks against Microsoft Azure. This evolution represents a serious threat to companies using cloud environments, with potential impact on critical systems and sensitive data.

Quick Response

The evolution of ConsentFix: from v1 to v3

The first version of ConsentFix was presented by Push Security last December as a ClickFix variant for OAuth phishing attacks. The original attack convinced victims to paste a localhost URL containing an OAuth authorization code, allowing attackers to obtain tokens and take control of accounts without needing passwords, despite the presence of multi-factor authentication (MFA).

ConsentFix v2, developed by researcher John Hammond, refined the process by replacing manual copy/paste with a drag-and-drop of the localhost URL, making the phishing flow smoother and more convincing. Version v3 maintains the core concept of exploiting the OAuth2 authorization flow but introduces automation and scalability.

The ConsentFix v3 attack flow

According to information retrieved from hacker forums, the attack begins with verifying the presence of Azure in the target environment by searching for valid tenant IDs. Attackers then collect details about employees such as names, roles, and email addresses to support impersonation.

Attackers then create numerous accounts on services like Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream to support phishing operations, hosting, data collection, and exfiltration. Pipedream, a free serverless integration platform, plays a central role in automating the attack, serving three critical functions:

• Acts as a webhook endpoint that receives the victim's authorization code
• Functions as an automation engine that immediately exchanges that code for a refresh token via Microsoft's API
• Serves as a central collector that makes captured tokens available in real-time

The phishing mechanism and data exfiltration

In the next phase, the attacker deploys a phishing page hosted on Cloudflare Pages that mimics a legitimate Microsoft/Azure interface and initiates a real OAuth flow via Microsoft's login endpoint. When the victim interacts with the page, they are redirected to a localhost URL containing an OAuth authorization code, which they are convinced to paste or drag back into the phishing page.

This enables the data exfiltration pipeline, where the page sends the captured URL to a Pipedream webhook, and the automation backend immediately exchanges the authorization code for tokens. Phishing emails can be highly personalized, generated from collected data, and feature malicious links embedded in a PDF hosted on DocSend to enhance credibility and bypass spam filters.

The post-exploitation phase and access to resources

In the post-exploitation phase, the obtained tokens are imported into Specter Portal, allowing the attacker to interact with compromised Microsoft environments and access resources permitted by the token, such as emails, files, and other services linked to the account. Push Security noted that ConsentFix v3 tests were based on their own personal Microsoft accounts, making it difficult to fully assess the impact, which depends on permissions, services, and tenant settings.

The challenges of mitigation and possible countermeasures

Mitigating the risks of ConsentFix is complicated because trust in first-party apps is architectural. However, administrators can adopt some measures, such as applying token binding to trusted devices, setting behavioral detection rules, and applying app authentication restrictions. Family of Client IDs (FOCI), Microsoft applications that share permissions and refresh tokens, can also help mitigate risks.

The economic impact of data breaches

Data breaches caused by attacks like ConsentFix v3 can have a significant economic impact on organizations. According to recent studies, the average cost of a data breach is constantly increasing, with losses going beyond the direct costs of response and remediation. Consequences include reputational damage, loss of customer trust, and potential regulatory sanctions, making breach prevention a strategic priority for companies.

The challenges of regulatory compliance

Organizations also face challenges related to regulatory compliance, with regulations like the GDPR and other data protection laws imposing stringent requirements for information security. Non-compliance can result in heavy sanctions and additional legal risks. Therefore, it is crucial to align security strategies with regulatory requirements and maintain accurate documentation of implemented measures.

The role of continuous training

Continuous training of end users is a key element in defending against attacks like ConsentFix v3. Organizations should develop security awareness programs that include phishing simulations, practical exercises, and regular updates on new threats. Additionally, it is important to promote a culture of security within the company, encouraging employees to report suspicious behaviors and follow best security practices.

The integration of advanced security solutions

The integration of advanced security solutions, such as multi-factor authentication (MFA) systems, intrusion detection solutions (IDS), and vulnerability management platforms, can significantly improve organizations' resilience against attacks like ConsentFix v3. These technologies, combined with a well-defined security strategy, can help protect cloud environments and reduce the risk of data breaches.

The need for an incident response strategy

Finally, it is essential to develop and maintain an effective incident response strategy. This includes defining roles and responsibilities, creating emergency plans, and conducting regular exercises to test the organization's response capability. A well-structured incident response strategy can help minimize the impact of an attack and quickly restore normal operations.

ConsentFix v3 represents a significant threat to organizations using Microsoft Azure, requiring an integrated and proactive approach to security. Adopting preventive measures, continuous user training, and integrating advanced security solutions are essential to protect cloud environments and prevent potential data breaches. In a constantly evolving threat landscape, vigilance and adaptability are fundamental to maintaining an adequate level of protection.