CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Automated OAuth abuse via ConsentFix v3 targets Microsoft Azure environments

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new attack technique dubbed ConsentFix v3 automates OAuth2 authorization code abuse to compromise Microsoft Azure accounts despite multi-factor authentication (MFA). The attack leverages social engineering to trick victims into pasting or dragging a localhost URL containing an OAuth authorization code into a phishing interface, which is then automatically exchanged for tokens via Microsoft's API. The technique targets first-party Microsoft apps with pre-trusted consent and employs automation tools like Pipedream for real-time token collection, enabling attackers to access compromised accounts and associated resources. The campaign involves reconnaissance, impersonation, phishing hosting, and data exfiltration, with token access potentially granting control over email, files, and other services within the tenant.

Timeline

  1. 02.05.2026 17:32 1 articles · 1h ago

    ConsentFix v3 automates OAuth token theft for Microsoft Azure compromise

    A new variant of ConsentFix leverages automated OAuth2 authorization code abuse to target Microsoft Azure environments. The attack flow includes tenant validation, employee reconnaissance, and multi-service account creation for phishing and exfiltration. Automation via Pipedream enables real-time token collection by capturing victim authorization codes and exchanging them for refresh tokens, which are then used to access compromised accounts and associated resources.

    Show sources
    Open in new tab

Information Snippets

  • ConsentFix v3 automates the exploitation of Microsoft Azure OAuth2 authorization code flow, enabling account takeovers even when MFA is enabled.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • The attack begins with tenant ID validation and employee reconnaissance to support impersonation and phishing operations.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • Attackers create multiple accounts across services such as Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream for phishing, hosting, and exfiltration purposes.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • Pipedream serves as the webhook endpoint for receiving victim authorization codes, the automation engine for exchanging codes for refresh tokens, and the real-time collector for captured tokens.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • A phishing page hosted on Cloudflare Pages mimics legitimate Microsoft/Azure interfaces and initiates a real OAuth flow, redirecting victims to a localhost URL containing an OAuth authorization code.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • Victims are tricked into pasting or dragging the localhost URL back into the phishing interface, enabling immediate token exchange and data exfiltration pipelines.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • Phishing emails may be personalized using harvested data and include malicious links embedded in PDFs hosted on DocSend to bypass spam filters and improve credibility.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • Post-exploitation involves importing obtained tokens into Specter Portal to interact with compromised Microsoft environments and access permitted resources such as email and files.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • Mitigation challenges stem from architectural trust in first-party Microsoft apps and the use of Family of Client IDs (FOCI), which share permissions and refresh tokens across applications.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources

  • Administrative mitigations include applying token binding to trusted devices, setting up behavioral detection rules, and enforcing app authentication restrictions.

    First reported: 02.05.2026 17:32
    1 source, 1 article
    Show sources