Full Report
A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential. [...]
Analysis Summary
# Tool/Technique: ConsentFix v3
## Overview
ConsentFix v3 is an evolved OAuth phishing technique and automation framework designed to hijack Microsoft Azure accounts. It builds upon previous "ClickFix" and "ConsentFix" iterations by replacing manual post-exploitation steps with automated backend processing. The technique abuses the legitimate OAuth2 authorization code flow and pre-trusted first-party Microsoft applications (such as Azure CLI) to bypass Multi-Factor Authentication (MFA) without requiring the victim's password.
## Technical Details
- **Type:** Attack Technique / Automation Framework
- **Platform:** Microsoft Azure, Microsoft 365
- **Capabilities:** Automated OAuth code-to-token exchange, data harvesting, MFA bypass, and real-time token exfiltration.
- **First Seen:** May 2026 (Documentation of v3 iteration)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0006 - Credential Access]**
- [T1555.004 - Credentials from Web Browsers: Managed External Accounts]
- [T1528 - Steal Application Access Token]
- **[TA0007 - Discovery]**
- [T1087.004 - Account Discovery: Cloud Account]
- **[TA0010 - Exfiltration]**
- [T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage]
## Functionality
### Core Capabilities
- **OAuth Abuse:** Exploits the "localhost" redirect flow typical of native applications (like Azure CLI) to capture authorization codes.
- **Token Exchange Automation:** Utilizes serverless platforms (Pipedream) to instantly exchange captured codes for refresh tokens via Microsoft APIs.
- **Tenant Discovery:** Verifies Azure tenant IDs and gathers employee metadata (names, roles) for targeted social engineering.
- **Credential Bypass:** Successfully hijacks active sessions, effectively bypassing MFA as the victim performs the legitimate login themselves.
### Advanced Features
- **Infrastructure Scaling:** Automates the creation of accounts across various services (Cloudflare, DocSend, Tutanota) to host phishing assets and bypass filters.
- **Low-Interaction Phishing:** Uses DocSend-hosted PDFs to embed malicious links, reducing the likelihood of detection by email security gateways.
- **Post-Exploitation Integration:** Specifically designed to feed captured tokens into tools like **Specter Portal** for immediate access to Microsoft 365 resources (emails, files).
## Indicators of Compromise
- **File Names:** Phishing documents often delivered via `DocSend` links or embedded in PDFs.
- **Network Indicators (Defanged):**
- `pipedream[.]net` (Used for webhook automation and token collection)
- `cloudflarepages[.]com` (Used for hosting phishing interfaces)
- `docsend[.]com` (Used for malicious document hosting)
- `microsoft[.]com/common/oauth2/v2.0/authorize` (Source of legitimate login flow)
- **Behavioral Indicators:**
- Unusual redirects to `http://localhost:[port]` followed by manual input of that URL into a third-party webpage.
- Rapid exchange of OAuth codes from IP addresses associated with cloud automation providers (e.g., Pipedream).
- Azure CLI or other first-party app registrations appearing from unexpected geographic locations.
## Associated Threat Actors
- While currently discussed on various hacker forums, specific named groups have not been publicly attributed to the v3 variant; however, it is a known evolution of techniques used by financial crime actors and initial access brokers (IABs).
## Detection Methods
- **Behavioral Detection:** Monitor for "Family of Client IDs" (FOCI) token usage from non-compliant devices or unusual IP ranges.
- **Log Analysis:** Audit Entra ID (Azure AD) sign-in logs for successful logins to "Azure CLI" followed immediately by API activity from different source IPs.
- **Webhook Monitoring:** Inspect outbound traffic to serverless integration platforms like Pipedream or Zapier in environments where they are not officially sanctioned.
## Mitigation Strategies
- **Token Binding:** Implement token binding to ensure tokens are only valid for the device to which they were issued.
- **App Execution Restrictions:** Use "Conditional Access" policies to restrict access to first-party applications like Azure CLI from unmanaged or non-compliant devices.
- **User Training:** Specifically educate high-value targets (Admins) on the risks of copying/pasting "localhost" URLs or authorization codes into any interface.
- **SaaS Security Posture Management (SSPM):** Monitor and alert on new OAuth grants for high-privilege scopes.
## Related Tools/Techniques
- **ConsentFix v1/v2:** Earlier manual/semi-automated iterations.
- **ClickFix:** The underlying social engineering template.
- **Specter Portal:** A post-exploitation tool used to manage and use stolen session tokens.
- **Evilginx:** A generic AiTM (Adversary-in-the-Middle) proxy tool with similar goals but different mechanics.