ConsentFix v3 Attacks: Automated OAuth Abuse Targeting Microsoft Azure Accounts at Scale
A new wave of identity-focused cyberattacks, dubbed ConsentFix v3, is redefining how attackers exploit cloud environments. By leveraging weaknesses in OAuth authorization flows and abusing pre-consented Microsoft applications, threat actors are now able to harvest tokens, hijack Azure accounts, and maintain persistent access—all with minimal user interaction.
What is ConsentFix v3?
ConsentFix v3 represents an evolution of OAuth phishing techniques. Unlike traditional credential harvesting attacks, this method focuses on authorization-code interception and token abuse rather than passwords.
Attackers exploit pre-consented Microsoft first-party applications, which already have user trust and permissions granted at the tenant level. This allows malicious actors to bypass consent prompts and directly obtain authorization codes that can be exchanged for access and refresh tokens.
- Targets OAuth 2.0 authorization code flow
- Abuses trusted Microsoft applications
- Harvests long-lived refresh tokens
- Enables persistent account takeover
Attack Workflow: Step-by-Step Breakdown
1. Tenant Discovery and Reconnaissance
Attackers begin by identifying target organizations using publicly available Azure tenant data. This includes domain enumeration and mapping of organizational structures.
2. Targeted Phishing Infrastructure
ConsentFix v3 campaigns use Cloudflare Pages to host phishing pages. These pages mimic legitimate Microsoft login portals and OAuth consent screens.
3. Authorization Code Harvesting
When a victim interacts with the phishing page, an OAuth authorization code is captured. Unlike passwords, this code can be immediately exchanged for tokens without triggering suspicion.
4. Automation with Pipedream
A key innovation in ConsentFix v3 is the use of Pipedream automation workflows. These workflows instantly:
- Exchange authorization codes for tokens
- Store refresh tokens for persistence
- Trigger follow-up actions in real-time
5. Post-Exploitation via Specter Portal
After gaining access, attackers leverage tools like Specter Portal to manage compromised accounts, extract data, and maintain long-term control.
Why ConsentFix v3 is Dangerous
ConsentFix v3 introduces a shift from credential theft to token-based attacks, making detection significantly harder.
- No password required: Bypasses traditional security controls
- Persistent access: Refresh tokens can last weeks or months
- Stealthy execution: Appears as legitimate OAuth activity
- Highly scalable: Automation enables mass targeting
According to recent cloud security reports, over 60% of identity attacks now target OAuth tokens instead of credentials, highlighting the growing importance of identity-based threats.
Key Techniques Used in ConsentFix v3
- OAuth authorization code phishing
- Pre-consented app abuse
- Token replay and refresh token harvesting
- Cloud-based phishing hosting (Cloudflare Pages)
- Workflow automation (Pipedream)
Mitigation Strategies
Organizations can defend against ConsentFix v3 attacks by implementing the following controls:
- Restrict or audit pre-consented applications
- Enable Conditional Access policies in Azure
- Monitor OAuth token issuance and anomalies
- Implement phishing-resistant MFA (e.g., FIDO2)
- Use Identity Threat Detection tools
NeuraCyb's Assessment
ConsentFix v3 marks a significant evolution in cloud identity attacks, emphasizing the growing shift toward token-centric exploitation. By combining automation, trusted application abuse, and scalable phishing infrastructure, attackers are effectively bypassing traditional defenses.
The attack underscores a critical gap in enterprise security: over-reliance on credential-based protection models. As identity becomes the new perimeter, organizations must adopt a zero-trust approach that continuously validates sessions, tokens, and application behaviors.
Moving forward, security teams should prioritize OAuth governance, token monitoring, and user awareness to mitigate such advanced threats.
Reference Links and Sources
