ConsentFix debrief: Insights from the new OAuth phishing attack

[Parkinsond]

Content source

https://www.bleepingcomputer.com/news/security/consentfix-debrief-insights-from-the-new-oauth-phishing-attack/

In December, the Push Security research team discovered and blocked a brand new attack technique that we coined ConsentFix.
This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts.

ConsentFix is an attack technique that prompts the victim to share an OAuth authorization code with an attacker via a phishing page.
The attacker then enters this code into a target application on their own device in order to complete the authorization handshake and take over the account.

By hijacking OAuth, attackers can effectively bypass identity-layer controls like passwords and MFA — even phishing resistant authentication methods like passkeys have no impact on this attack, because it sidesteps the authentication process altogether.

ConsentFix debrief: Insights from the new OAuth phishing attack

ConsentFix is an OAuth phishing technique abusing browser-based authorization flows to hijack Microsoft accounts. Push Security shares new insights from continued tracking, community research, and evolving attacker techniques.

www.bleepingcomputer.com

 

[Divergent]

Targeted First-Party Applications (IOCs)
The attack specifically targets apps that often have Conditional Access exclusions or are pre-consented in tenants.

Microsoft Azure CLI
04b07795-8ddb-461a-bbee-02f9e1bf7b46

Microsoft Azure PowerShell
1950a258-227b-4e31-a9cf-717495945fc2

Microsoft Teams
1fec8e78-bce4-4aaf-ab1b-5451cc387264

Microsoft Whiteboard Client
57336123-6e14-4acc-8dcf-287b6088aa28

Microsoft Flow Mobile
57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0

Enterprise Roaming and Backup
60c8bde5-3167-4f92-8fdb-059f6176dc0

Visual Studio
872cd9fa-d31f-45e0-9eab-6e460a02d1f1

Aadrm Admin Powershell
90f610bf-206d-4950-b61d-37fa6fd1b224

SharePoint Online Mgmt Shell
9bc3ab49-b65d-410a-85ad-de819febfddc

Power Query for Excel
a672d62c-fc7b-4e81-a576-e60dc46e951d

Visual Studio Code
aebc6443-996d-45c2-90f0-388ff96faa56

Mitigation & Hunting Strategies
Enable Deprecated Logging This specific attack vector leverages legacy scopes that may fall outside default logging configurations. You must ensure logging for AADGraphActivityLogs is enabled to capture relevant telemetry.

Threat Hunting Query your SIEM or Microsoft Sentinel logs for the Application IDs listed above. Additionally, filter for the following Resource IDs associated with the attack.

Windows Azure Active Directory
00000002-0000-0000-c000-000000000000

Microsoft Intune Checkin
26a4ae64-5862-427f-a9b0-044e62572a4f

Hardening Service Principals to reduce the attack surface, create Service Principals for the vulnerable first-party applications listed above and explicitly restrict which users are authorized to access them. This prevents arbitrary users from generating tokens for these high-privilege apps.

Conditional Access Policies Review your Conditional Access policies for exclusions related to command-line tools.

Action
Block access to CLI tools (Azure CLI, PowerShell) by default.

Exception
Create specific exclusions only for authorized admins or user groups that require these tools for their daily workflow.

Browser Telemetry Since the attack executes within the browser context (client-side), standard network logs may miss the initial "human verification" interaction. Deploy browser-based detection tools capable of inspecting the DOM for the specific localhost redirect patterns or suspicious copy-paste events associated with the authorization code.

 

[Wrecker4923]

As a consumer, I always thought that bouncing around (through redirections) and passing information via URLs for Microsoft authentication is so antiquated and appears to be prone to failures. It does bring memories () for the early IIS servers. Google authentication is much more streamlined and pleasant.

I suppose allowing OAuth's path to end up with a local server URL serves some local app functions; now it serves as an attack path as well.

 

[Parkinsond]

Google authentication is much more streamlined and pleasant.

Agree; even G mail service is much better and smoother than MS.