ConsentFix V3 Attacks Target Azure with Automated OAuth Abuse

The OAuth 2.0 authorization code flow has long been a favorite vector for credential‑theft because it separates user authentication from token issuance. Early variants such as ClickFix and the original ConsentFix demonstrated how a malicious actor could trick a victim into pasting a localhost URL that contains an authorization code, effectively granting access without needing a password or even multi‑factor authentication. By exploiting the trust that Microsoft places in its own first‑party applications, these attacks bypass traditional perimeter defenses and rely on social engineering rather than technical vulnerabilities.

ConsentFix v3 pushes the concept into a scalable, automated service. Threat actors first confirm an Azure tenant, then harvest employee names and emails to craft highly personalized phishing messages. They spin up disposable accounts on services like Outlook, Tutanota, Cloudflare, DocSend, Hunter.io and, crucially, Pipedream—a serverless integration platform that acts as a webhook receiver, token‑exchange engine, and real‑time collector. A Cloudflare Pages site mimics the Azure login portal, redirects victims to a localhost URL, and silently forwards the captured code to Pipedream, which instantly trades it for a refresh token. The token is then loaded into Specter Portal, giving the attacker unfettered access to mail, files and other Azure resources.

The emergence of an automated, turnkey kit raises the stakes for cloud‑first enterprises. Because the attack leverages pre‑consented Microsoft client IDs, simple password changes or MFA enforcement are insufficient. Organizations should enforce token binding on trusted devices, restrict which client IDs may request tokens, and deploy behavioral analytics that flag anomalous token‑exchange patterns. Regularly reviewing and pruning unused application registrations, as well as employing conditional access policies that limit token lifetimes, can further reduce exposure. As threat actors continue to commercialize such kits, proactive cloud‑security hygiene becomes a critical line of defense.