Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cloud Account Compromise. Show all posts
Token Hijacking
Cloud Account Compromise Cyber Threats Identity Attacks Microsoft Azure OAuth Abuse Token Hijacking

Automated OAuth Abuse by ConsentFix v3 Raises Azure Security Concerns


 

Researchers discovered that a newly identified phishing framework called ConsentFix v3 is having a direct impact on identity-based attacks in cloud environments after finding its ability to systematically compromise Microsoft Azure accounts using automated OAuth abuse. 

The latest iteration combines large-scale social engineering, tenant reconnaissance, and automated token harvesting into a coordinated attack chain designed to bypass conventional security controls. This represents an advanced evolution of previous ConsentFix campaigns. Attackers can manipulate authentication consent mechanisms and gain persistent access to enterprise environments via OAuth2 exploits that exploit weaknesses in the authorization code flow. 

Another defining element of the campaign is the use of Pipedream, a serverless integration platform leveraged to automate authorization code collection, refresh token generation, and data exfiltration workflows, significantly improving the scale and operational efficiency of the intrusion process. 

Using Azure tenant IDs and profiling employees for targeted impersonation, attackers initiate compromises, as demonstrated by report findings. Phishing infrastructure is deployed across multiple online services to support credential deception, token interception, and long-term account persistence by deploying phishing infrastructure across several online services.

ConsentFix v3 represents a rapid evolution of OAuth-related phishing methodologies. Late last year, Push Security introduced the original ConsentFix technique as a ClickFix-inspired attack targeting Microsoft authentication workflows, which attracted attention. An early variant of this attack relied heavily on social engineering techniques to trick victims into completing a legitimate Azure CLI login sequence and manually pasting a localhost URL containing an authorization code. 

In exchange for the code, attackers were able to hijack Microsoft accounts without the use of password theft once they had captured it, effectively bypassing multi-factor authentication by utilizing trusted identity processes rather than exploiting endpoint vulnerabilities. In order to streamline the phishing chain, researcher John Hammond developed refinements that eventually resulted in ConsentFix v2, which incorporated a drag-and-drop mechanism for the localhost URL instead of manual copy-and-paste interaction. This improved the realism of the deception process and its success rate. 

ConsentFix v3 continues to weaponize the OAuth2 authorization code flow while abusing Microsoft first-party applications that are already trusted and pre-consented within enterprise environments. This attack model is complemented by enhanced automation, broader scalability, and infrastructure designed to support high volume token interception operations across Azure tenants, while also expanding the attack model. 

A systematic operational analysis of ConsentFix v3 indicates that the campaign is organized around a multi-stage intrusion workflow, which maximizes authenticity as well as the efficiency of token acquisition. Several threat actors report that they conduct extensive reconnaissance on targeted Azure environments, validate tenant identifiers, and aggregate employee intelligence, including corporate e-mail addresses, organizational roles, and identity metadata, in order to support highly tailored impersonation attempts. 

The campaign infrastructure relies on Cloudflare Pages for phishing page hosting and Pipedream for backend automation, enabling attackers to coordinate credential lures, webhook execution, and token collection through a highly scalable framework. By carefully crafting phishing emails containing embedded document links that direct users to fake Microsoft authentication portals that trigger legitimate OAuth login requests, victims are subsequently targeted. This technique significantly increases user trust and reduces conventional phishing indicators, thereby enhancing user trust.

After user interaction, the attack moves into the exploitation phase, where users are manipulated to copy, paste, or interact with localhost URLs containing OAuth authorization codes. Once intercepted, the authorization codes are transmitted to attacker-controlled infrastructure where automated workflows use Microsoft APIs to exchange them for access and refresh tokens capable of granting unauthorized access to mailboxes, cloud storage, and internal enterprise data. 

According to researchers, the abuse of Microsoft's Family of Client IDs (FOCI) functionality further amplifies the threat by enabling token reuse between multiple trusted Microsoft applications, which provides attackers with greater persistence and lateral access without having to repeatedly complete authentication procedures. 

Consequently, the campaign highlights persistent architectural weaknesses associated with OAuth-based trust models and token-centric authentication mechanisms, resulting in a renewed emphasis on defensive measures, such as enforcing granular conditional access policies, binding tokens to managed devices, monitoring anomalous non-interactive sign-ins, and revoking refresh tokens immediately upon suspicion of compromise. 

The security team is also being encouraged to tighten consent controls, reduce excessive permission exposure, and continuously audit authentication telemetry in order to detect signs of advanced OAuth abuse before it can establish long-term persistence. 

Researchers observed substantial operational overlap between ConsentFix and device code phishing, as both techniques abuse OAuth authorization workflows to bypass traditional authentication barriers and achieve unauthorized token issuance without directly stealing credentials. The primary distinction between the two techniques lies in the OAuth mechanisms they exploit. 

Device code phishing abuses the device authorization grant defined in RFC 8628, whereas ConsentFix targets the authorization code grant outlined in RFC 6749, particularly within native and desktop application flows that rely on localhost redirects. The two attack paths converge within the same token issuance infrastructure, regardless of their differences in execution. Therefore, attackers' access level is less dependent on the OAuth flow than it is on the targeted application, its permission scopes, and user privileges. 

Both authentication flows ultimately allow threat actors to obtain highly valuable authentication artifacts capable of sustaining persistent access across cloud environments. Further, researchers report that attackers are increasingly targeting Microsoft applications classified under the Family of Client IDs (FOCI) model due to their portability and utility after compromise, particularly against non-administrative enterprise users. 

The ability to silently pivot between interconnected Microsoft services, such as Outlook, Teams, OneDrive, and SharePoint through API-based access without repeatedly authenticating is enabled by attacking FOCI-enabled applications via ConsentFix or device code phishing campaigns. Operators who are more advanced may escalate the intrusion by abusing Primary Refresh Tokens (PRTs), a technique that allows seamless single sign-on across applications and browser sessions connected to Entra ID. 

Such escalation commonly involves abusing the Microsoft Authentication Broker application and chaining the compromise into a rogue device registration within the victim environment, mirroring tactics previously associated with Storm-2372 during large-scale device code phishing campaigns in 2025. 

Researchers believe ConsentFix v3 currently resembles an operational proof of concept more than a fully industrialized phishing-as-a-service platform. Despite its reliance on legitimate SaaS tools and readily accessible automation infrastructure, its rapid operation by threat actors with minimal custom development overhead demonstrates just how quickly sophisticated OAuth abuse can be operationalized.

In addition, the campaign has intensified the need for a change in defensive strategy, particularly given the fact that browser-based identity attacks continue to bypass many of the conventional methods of protecting endpoints. To detect malicious OAuth activity occurring within trusted authentication sessions, organizations need to use real-time behavioral monitoring and identity-aware threat hunting capabilities, combining real-time behavioral monitoring with identity-aware threat hunting capabilities. 

Traditional mitigations recommended for device code phishing, including disabling device code flow through conditional access policies, offer only partial protection against ConsentFix because the framework abuses a separate authentication pathway. Instead of exposing vulnerable applications to OAuth token phishing, defenders are recommended to create dedicated Service Principals and restrict access only to explicitly authorized users. 

Furthermore, proactively searching authentication logs for suspicious application and resource identifiers should be considered, correlating inconsistencies between initial login IP addresses and subsequent token activity should be monitored closely, as well as closely monitoring anomalous session behavior that could indicate attacker control following legitimate authentication attempts. This emergence of ConsentFix v3 can be attributed to a trend in the modern threat landscape in which cybercriminals are increasingly targeting identity infrastructure and trusted authentication frameworks as an alternative to malware and credential theft alone. 

The campaign demonstrated how adversaries could gain persistent access within enterprise environments while remaining difficult to detect through conventional security mechanisms through the abuse of legitimate OAuth workflows and cloud-native services. According to research, similar techniques are likely to become more operationalized across cloud ecosystems as automation, token abuse and SaaS-based attack infrastructure mature.

Organizations should strengthen identity-centric defenses, continuously monitor authentication behavior, and evaluate their trust relationships embedded within modern cloud platforms as soon as possible before OAuth-driven intrusions become a mainstream enterprise threat vector. The findings reinforce the growing urgency for organizations to strengthen identity-centric defenses before OAuth-driven intrusions become a mainstream enterprise threat.
Read more »
Subscribe to: Posts (Atom)