ConsentFix v3: Automated OAuth Abuse Targets Azure

A new OAuth phishing technique called ConsentFix v3 is circulating on hacker forums, targeting Microsoft Azure environments with a fully automated attack pipeline. Unlike earlier versions that required victims to manually paste authorization codes, v3 wires the entire exploitation chain through serverless automation, making it faster, scalable, and harder to detect through traditional means.

The attack matters because it bypasses multi-factor authentication entirely. No password is needed. No MFA prompt is triggered. If a victim completes the OAuth flow and the attacker captures the authorization code, it is game over.

How ConsentFix v3 Exploits the OAuth2 Authorization Code Flow

The attack abuses a legitimate behavior in Microsoft's OAuth2 authorization code flow. When a user authenticates through Azure CLI or a first-party Microsoft app, the authorization code is delivered to a localhost redirect URI. That code can then be exchanged for access and refresh tokens.

Earlier ConsentFix versions tricked victims into manually copying or dragging that localhost URL back into a phishing page. Version 3 replaces the manual step with a Pipedream webhook that receives the URL automatically, exchanges it for tokens via Microsoft's API, and delivers those tokens to the attacker in real time.

Pipedream, a free serverless integration platform, handles three functions here. It acts as the webhook endpoint that catches the authorization code, the automation engine that exchanges that code for a refresh token, and the collection point that makes tokens available to the attacker immediately.

The Full Attack Chain: Recon to Post-Exploitation

The operation starts with verifying Azure tenancy by checking for valid tenant IDs, then scraping employee names, roles, and email addresses for impersonation. Attackers set up accounts across Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream to support phishing, hosting, and exfiltration.

A phishing page hosted on Cloudflare Pages mimics a legitimate Microsoft login interface. It initiates a real OAuth flow through Microsoft's own endpoint, which adds credibility. When the victim interacts with the page, they get redirected to a localhost URL containing the authorization code. The page captures that URL and forwards it to the Pipedream webhook automatically.

Phishing emails are personalized from harvested data and embed malicious links inside PDFs hosted on DocSend. The PDF wrapper improves deliverability and bypasses many spam filters.

Post-exploitation happens through Specter Portal, a tool that imports the captured tokens and lets attackers browse compromised Microsoft environments, accessing email, files, and any service tied to the account.

What Developers and Admins Are Actually at Risk

Any Azure tenant relying on first-party Microsoft apps for authentication is potentially exposed. ConsentFix v3 targets pre-trusted, pre-consented applications, which means standard app permission reviews will not flag anything unusual.

The core problem is architectural. Microsoft's Family of Client IDs (FOCI) allows certain first-party apps to share refresh tokens. That design is useful for usability but creates a large blast radius when one token is captured. Attackers can pivot across multiple Microsoft services using a single compromised refresh token.

How to Reduce Exposure to ConsentFix Attacks

Admins should apply token binding so that tokens are tied to specific trusted devices and cannot be reused on attacker infrastructure. Behavioral detection rules that flag unusual token exchange patterns or logins from unexpected IP ranges will help catch exploitation after the fact.

App authentication restrictions can limit which applications are permitted to request tokens in your tenant. Reviewing and tightening these settings reduces the attack surface significantly.

For developers building on Azure, check your OAuth redirect URI configurations. Localhost redirect URIs should not be valid in production flows. Scan your web applications for exposed OAuth callback endpoints using VibeWShield's automated scanner to identify misconfigurations before attackers do.

For broader context on OAuth phishing trends, see our breakdown of device code phishing attacks.

FAQ

Does ConsentFix v3 work even if MFA is enabled? Yes. The attack captures an OAuth authorization code during a legitimate login flow the victim completes themselves. MFA is satisfied by the victim, and the attacker exchanges the code for tokens without needing credentials or a second factor.

Which Microsoft applications are most at risk? First-party Microsoft apps that are pre-consented in the tenant are the primary target. Apps participating in FOCI are especially valuable because a single captured token can unlock multiple services.

How do I know if my Azure environment has already been compromised? Look for refresh token exchanges originating from unexpected IP addresses or geographies in your Azure AD sign-in logs. Unusual app consent activity or token issuance outside normal business hours are also indicators worth investigating.

Run an automated scan of your OAuth flows and Azure-connected web apps at VibeWShield.