A new, automated attack technique called ConsentFix v3 is targeting Microsoft Azure environments, leveraging vulnerabilities in the OAuth 2.0 authorization code flow. This latest iteration builds on previous versions (ConsentFix v2 and the original ClickFix) to streamline and scale attacks, enabling attackers to gain access to accounts even with multi-factor authentication (MFA) enabled.
What Happened
ConsentFix v3, advertised on hacker forums, begins by verifying the presence of Azure within a target organization and gathering employee details for more convincing social engineering. Attackers then establish accounts across several services – Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream – to support phishing, hosting, data gathering, and exfiltration. The core of the attack relies on the Pipedream serverless integration platform, which serves three critical functions: receiving the authorization code from a victim, automatically exchanging that code for a refresh token via Microsoft’s API, and collecting the captured tokens in real-time.
The attack flow involves a phishing page hosted on Cloudflare Pages that mimics a legitimate Microsoft/Azure interface. Victims are tricked into interacting with this page and are redirected to a localhost URL containing an OAuth authorization code. They are then persuaded to copy and paste (or drag and drop, as in ConsentFix v2) this code into the phishing page, enabling attackers to exchange the code for tokens and ultimately compromise the account. Personalized phishing emails, generated from harvested data and delivered via malicious links embedded in PDFs hosted on DocSend, increase the attack's credibility and bypass spam filters.
Once tokens are obtained, they are imported into Specter Portal, allowing attackers to interact with the compromised Microsoft environment and access permitted resources. Push Security, which has been tracking the development of these attacks, tested ConsentFix v3 using its own Microsoft accounts, making it difficult to fully assess the potential impact, which varies based on permissions and tenant settings.
Why It Matters
This attack is significant because it demonstrates a growing sophistication in OAuth abuse. Traditional phishing attacks often target credentials directly. ConsentFix v3, however, exploits the inherent trust placed in first-party Microsoft applications and the OAuth 2.0 flow itself. The automation provided by Pipedream dramatically increases the scale and efficiency of these attacks, making it easier for attackers to target multiple users simultaneously.
The reliance on Pipedream as a crucial component highlights the potential for abuse of serverless platforms and integration tools. While Pipedream itself isn't inherently vulnerable, it provides a convenient infrastructure for automating malicious activities. The successful bypass of MFA is particularly concerning, underlining the limitations of MFA as a sole security measure. The source material notes that mitigation is complex because of the architectural trust in first-party apps.
What To Watch
Administrators should focus on implementing token binding to trusted devices and setting up behavioral detection rules to identify anomalous activity. The source article mentions applying API restrictions, but provides no details. It will be crucial to monitor for updates from Microsoft regarding potential mitigations within the Azure platform itself. Further investigation is needed to understand the full scope of impact and the effectiveness of various defensive measures. The evolving nature of these attacks – from ClickFix to ConsentFix v3 – suggests that attackers will continue to refine their techniques, so ongoing vigilance and adaptation are essential. The role of third-party services like Pipedream in these attacks warrants further scrutiny, and developers should be aware of the potential for misuse of their platforms.