ConsentFix v3 Toolkit Automates OAuth Attacks Against Microsoft Azure Accounts
6 min. read 
Published on
A new ConsentFix v3 toolkit is raising concern because it automates parts of an OAuth phishing attack against Microsoft Azure and Entra ID accounts. The technique can help attackers capture tokens without stealing a password directly.
Push Security says the toolkit has been promoted on a criminal forum and builds on earlier ConsentFix attacks. The first version used social engineering to trick users into copying a Microsoft login redirect URL that contained an OAuth authorization code.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk is serious because the user may interact with a real Microsoft login page. If the user is already signed in, the attack may require little more than selecting the existing account and moving the generated URL back into the phishing page.
What ConsentFix v3 changes
ConsentFix v3 keeps the same core idea as earlier versions. It abuses the OAuth 2.0 authorization code flow and targets trusted first-party Microsoft applications, such as Azure CLI.
The difference is automation. Push Security says the new toolkit helps attackers build infrastructure, create believable personas, manage phishing campaigns, capture OAuth material, and exchange it for session and refresh tokens.
This makes the attack easier to scale than the original version. Earlier ConsentFix attacks relied more heavily on manual steps, while the new toolkit shows how attackers can turn the flow into a repeatable phishing operation.
At a glance
| Item | Details |
|---|---|
| Attack name | ConsentFix v3 |
| Main target | Microsoft Azure and Entra ID accounts |
| Main technique | OAuth authorization code theft |
| Trusted app abused | First-party Microsoft apps such as Azure CLI |
| Main improvement | Automation of phishing setup, token exchange, and campaign management |
| Primary risk | Account takeover through stolen access and refresh tokens |
| Current status | Promoted as a toolkit, but large-scale real-world use remains unclear |
How the attack tricks users
The phishing page can look like a normal Microsoft or Azure sign-in experience. In reality, it starts a legitimate OAuth flow and then waits for the victim to return the generated redirect URL.
That URL can contain an authorization code. If attackers capture it quickly enough, they can exchange it for tokens and access Microsoft resources allowed by the targeted app and the victim’s permissions.
This makes the attack different from normal password phishing. The attacker does not need the victim’s password if the OAuth flow produces usable tokens.
Why first-party Microsoft apps matter
ConsentFix attacks are powerful because they can target first-party Microsoft apps that users and tenants already trust. Azure CLI is one example that appears in research on this technique.
These apps exist for legitimate administrative and developer workflows. They can also have broad trust inside Microsoft environments, which makes them attractive to attackers.
Push Security says this trust model can make mitigation difficult. Blocking every trusted Microsoft app is not realistic for many organizations because it may break normal business and engineering workflows.
ConsentFix v3 uses common SaaS tools
The toolkit described by Push Security uses a mix of common SaaS and open-source tools. These can support target research, hosting, phishing delivery, token capture, and post-compromise activity.
Push Security said the toolkit referenced services such as Cloudflare Workers, ZoomInfo, Dropbox, and Pipedream. Pipedream can act as a webhook and automation layer that receives OAuth material and exchanges it for tokens.
Attackers can also use post-exploitation tools to interact with the compromised Microsoft environment after importing the stolen tokens.
Why this can bypass normal defenses
ConsentFix works inside the browser and uses real Microsoft authentication flows. That makes it harder for traditional endpoint tools to detect because no malware needs to run on the device.
It can also bypass user expectations. Employees know to avoid suspicious password pages, but they may not recognize a request to drag, drop, or paste a localhost URL as a phishing step.
OAuth-based attacks also reduce the usefulness of password resets alone. If attackers already obtained valid refresh tokens, defenders must revoke sessions and tokens, not just change the account password.
What security teams should check
- Review Entra ID sign-in logs for unusual first-party app activity.
- Hunt for suspicious Azure CLI or Microsoft app token activity from unfamiliar IP addresses.
- Review OAuth grants and delegated permissions across the tenant.
- Watch for users accessing phishing pages that request copied URLs or drag-and-drop actions.
- Revoke refresh tokens and sessions for accounts suspected of exposure.
- Apply Conditional Access controls and token protection where supported.
- Train users to report any page that asks them to paste a Microsoft redirect URL.
Mitigation is not simple
Microsoft’s Token Protection feature can help reduce token replay by binding supported sign-in session tokens to a device. This can make stolen tokens less useful in supported scenarios.
Admins should also follow Microsoft’s guidance for detecting and remediating illicit consent grants. That includes reviewing OAuth applications, delegated permissions, and sign-in activity connected to suspicious apps.
However, ConsentFix v3 also shows why identity security needs browser-level visibility. If the attack happens through a real login flow and a convincing browser prompt, email filters and endpoint defenses may miss the most important step.
Real-world impact is still developing
Push Security described ConsentFix v3 as a sign of where OAuth phishing may be heading, rather than a mature phishing-as-a-service platform at industrial scale.
The company also noted that its testing used personal Microsoft accounts, which limits how much can be said about enterprise impact. In a real business tenant, the damage would depend on the targeted app, token scope, user permissions, and tenant controls.
Still, defenders should not wait for a larger campaign before acting. Device code phishing grew after criminal toolkits made it easier to run, and ConsentFix could follow a similar path.
FAQ
ConsentFix v3 is a toolkit that automates parts of an OAuth phishing technique targeting Microsoft Azure and Entra ID accounts.
No. The attack focuses on stealing OAuth authorization material and exchanging it for tokens. This can give attackers access without directly stealing a password.
The user may complete a legitimate Microsoft login flow. If the attacker captures the resulting OAuth code or token material, MFA has already happened or may not be prompted again.
Azure CLI is commonly mentioned because it is a trusted first-party Microsoft application used in legitimate cloud administration and developer workflows.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages