A new variation of the ClickFix attack called βConsentFixβ exploits the Azure CLI OAuth app to hijack Microsoft accounts without passwords or MFA. It manipulates users through sophisticated phishing webpages to steal OAuth authorization codes, granting attackers full account access. #ClickFix #ConsentFix #AzureCLI #OAuth2 #MicrosoftAccounts
Keypoints
- The ConsentFix attack uses social engineering to hijack Microsoft accounts via OAuth authorization codes.
- Attackers trick victims into authenticating through a fake Microsoft login page that steals OAuth codes.
- Once the OAuth code is captured, attackers can access accounts without passwords or MFA verification.
- The attack begins on compromised websites with Google-ranking fraud pages and targeted email collection.
- Defenders should monitor for unusual Azure CLI login activity and legacy Graph scopes for detection.