Imagine a world where a simple copy-and-paste action could grant hackers full access to your Microsoft account, bypassing all security measures. This is the chilling reality of ConsentFix, a newly discovered browser-based phishing attack.
The Rise of ConsentFix: A Game-Changer in Phishing Techniques
ConsentFix, a term coined by Push Security researchers, represents a significant evolution in phishing attacks. It allows hackers to take over accounts without capturing passwords or triggering MFA, marking a dangerous advancement.
Here's how it works: victims are lured into a phishing page, where they're tricked into logging into Azure CLI, generating an OAuth authorization code. This code, hidden in a localhost URL, is then pasted into the phishing page, granting hackers access to the OAuth token and, ultimately, the target application - Microsoft.
A Complex Threat Landscape
This attack showcases the rapidly evolving nature of cyber threats. ClickFix attacks, similar in nature, were one of the fastest-growing attack types this year. OAuth consent grants, abused by groups like Scattered Lapsus$ Hunters, have also become a popular tool for attackers. ConsentFix combines these successful techniques, creating a powerful and sophisticated attack.
Challenges for Security Teams
ConsentFix presents a significant challenge for security teams for several reasons:
- No login is required, rendering phishing-resistant authentication controls ineffective.
- The entire attack happens within the browser context, making it harder to detect.
- Using Google Search to deliver the lure bypasses email-based anti-phishing controls.
- Targeting a first-party app like Azure CLI limits the available controls for blocking third-party app integrations.
- Advanced detection evasion techniques make it difficult to investigate and detect these attacks.
Jacques Louw, Chief Product Officer at Push Security, emphasizes the sophistication of this technique, noting that it's designed to evade detection and bypass protective controls, all while exploiting a trusted first-party app.
The Mechanics of ConsentFix
In the observed ConsentFix attacks, victims were directed through Google Search to compromised websites with a fake Cloudflare Turnstile challenge. After entering a valid corporate email, victims were prompted to click a "Sign In" button, which led to a legitimate Microsoft page. If already logged in, victims were redirected to a localhost URL containing an OAuth authorization code. Pasting this URL back into the original page completed the malicious consent grant.
A Valuable Target: Azure CLI
Attackers specifically targeted Microsoft Azure CLI, a first-party application trusted across Entra ID tenants. Unlike third-party OAuth apps, Azure CLI has unique capabilities and exemptions, making it an attractive target for attackers and limiting the available preventative controls.
Detection and Prevention
Push Security warns that attackers may integrate ConsentFix into phishing kits, broadening their reach. Organizations should monitor for unusual Azure CLI login events, especially for standard users. Enabling and monitoring AADGraphActivityLogs can help detect unusual activities like AD enumeration.
For more details and security recommendations, check out the full research report on the Push Security blog or visit their booth at Black Hat Europe in London.
About Push Security
Push Security offers real-time detection and response, focusing on the browser layer where users and attackers operate. By deploying a powerful agent inside the browser, Push provides defenders with full visibility and the tools to investigate threats quickly. Backed by notable investors, Push was founded by former red team members skilled in offensive security and security operations.
