New ConsentFix v3 attack automates Microsoft Azure account hijacking

A new attack technique dubbed ConsentFix v3 has emerged, automating the hijacking of Microsoft Azure accounts through a sophisticated phishing scheme. This latest iteration builds upon previous versions by incorporating enhanced automation and scalability to bypass security measures. The attack leverages social engineering and abuse of the OAuth2 authorization code flow to gain unauthorized access to user accounts, according to a recent report by Bleeping Computer.

ConsentFix v3 targets Microsoft Azure environments by first identifying valid tenant IDs and gathering employee details for impersonation. Attackers then create multiple accounts across various services to facilitate phishing, data gathering, and exfiltration. A key component is the use of Pipedream, a serverless integration platform, which acts as a webhook endpoint to receive authorization codes, an automation engine to exchange codes for refresh tokens, and a collector for captured tokens.

The attack involves a phishing page hosted on Cloudflare Pages that mimics a legitimate Microsoft/Azure interface, redirecting victims to a localhost URL containing an OAuth authorization code. This code is then pasted or dragged back into the phishing page, enabling the exfiltration of tokens. These tokens are subsequently used to access compromised Microsoft environments, including email and files. While the full impact is still being assessed, mitigation strategies include applying token binding, setting up behavioral detection rules, and restricting app authentication. It remains unclear if the v3 variant has seen widespread adoption by cybercriminals.

Source: Bleeping Computer