ConsentFix v3 is an automated, scalable evolution of OAuth authorization-code phishing that abuses pre-consented Microsoft first‑party apps to harvest tokens and hijack Azure accounts. Attackers combine tenant discovery, targeted reconnaissance, Cloudflare Pages phishing, and Pipedream automation to immediately exchange authorization codes for refresh tokens and enable post‑exploitation via tools like Specter Portal. #ConsentFixv3 #MicrosoftAzure
Keypoints
- ConsentFix v3 automates OAuth authorization-code phishing against Microsoft Azure and pre‑trusted first‑party apps.
- Attackers verify tenant IDs and harvest employee names, roles, and emails to create highly personalized spear‑phishing.
- Pipedream serves as the webhook endpoint, automation engine to exchange codes for refresh tokens, and central token collector.
- Phishing pages hosted on Cloudflare Pages initiate real Microsoft login flows and use DocSend PDFs to improve credibility and bypass filters.
- Captured tokens are imported into Specter Portal to access email, files, and other resources; mitigations include token binding, behavioral detections, and app authentication restrictions.