What happened
A third iteration of the ConsentFix attack technique has been circulating on hacker forums, introducing automation and scalability to a method that abuses Microsoft Azure’s OAuth2 authorization code flow to hijack accounts without passwords and despite multi-factor authentication being enabled.
The original ConsentFix was documented by Push Security in December 2025 as an OAuth phishing technique that tricks victims into pasting a localhost URL containing an OAuth authorization code into an attacker-controlled page. A second version replaced the copy-paste step with drag-and-drop to make the flow more convincing. ConsentFix v3 retains the core OAuth abuse approach but adds an automated backend pipeline that scales the attack and removes manual steps from the token capture process.
The attack begins with automated verification of Azure presence in the target environment through valid tenant ID checks, followed by harvesting of employee names, roles, and email addresses for impersonation. Attackers create accounts across multiple services including Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream to support phishing, hosting, data gathering, and exfiltration. Pipedream, a free serverless integration platform, serves as the webhook endpoint that receives the victim’s OAuth authorization code, the automation engine that immediately exchanges it for a refresh token via Microsoft’s API, and the central token collector available to the attacker in real time.
The phishing page is hosted on Cloudflare Pages and mimics a legitimate Microsoft or Azure interface. When a victim interacts with it, they are redirected to a localhost URL containing an OAuth authorization code, which they are tricked into pasting or dragging back into the page. Phishing emails are personalized using harvested employee data and embed malicious links inside PDFs hosted on DocSend to improve credibility and bypass spam filters. Captured tokens are imported into Specter Portal for post-exploitation access to email, files, and other Microsoft services. Push Security noted it is not yet clear whether the v3 variant has gained significant traction among active threat actors.
Who is affected
Organizations using Microsoft Azure and Microsoft 365 are the intended targets. The technique specifically abuses first-party Microsoft applications that are pre-trusted and pre-consented within Azure tenants, meaning standard app consent controls do not block the attack. Any organization with Azure presence and employees who can be phished through personalized email campaigns is within scope.
Why CISOs should care
ConsentFix v3 bypasses MFA because it abuses a legitimate OAuth flow rather than stealing passwords. The victim completes a real Microsoft login, including any MFA challenge, and the attacker captures the resulting authorization code to obtain tokens. From the victim’s perspective, the interaction can appear entirely legitimate. Standard MFA deployment does not protect against this attack, and the automation in v3 means it can be run at scale against a targeted organization’s workforce simultaneously.
The use of entirely legitimate platforms, Cloudflare, DocSend, Pipedream, Outlook, for hosting and infrastructure also means network-level blocking of known malicious domains is not an effective defense.
3 practical actions
- Apply token binding to restrict OAuth token use to trusted, registered devices: Token binding ties refresh tokens to specific devices, meaning a token captured through ConsentFix cannot be used from an attacker’s infrastructure even if successfully obtained. This is the most direct technical mitigation for this attack class and should be evaluated as a priority control for Azure environments.
- Implement behavioral detection rules for anomalous OAuth token issuance and usage: ConsentFix attacks produce detectable patterns including OAuth authorization code exchanges from unexpected IP addresses, token usage from locations inconsistent with the user’s normal behavior, and Pipedream or similar serverless platform endpoints appearing in OAuth redirect flows. Configure Azure AD sign-in and audit log alerts for these patterns.
- Brief employees on OAuth phishing flows that involve pasting or dragging URLs during a login process: The attack depends entirely on a victim completing a specific action after an apparently legitimate Microsoft login. Security awareness training should explicitly cover the scenario of being asked to paste, drag, or submit a localhost URL during or after a login flow, treating any such request as a red flag regardless of how legitimate the surrounding page appears.
Also in the news today:
- Dayton Mayor Demands Accountability After License Plate Reader Data Breach
- Ameriprise Financial Data Breach Exposes Personal Information of 48,000 Customers
- Congress Punts FISA Section 702 Renewal to June
- Edtech Firm Instructure Discloses Cyber Incident, Probes Impact
- FBI Links Cybercriminals to Sharp Surge in Cargo Theft Attacks
- 1,800 Developers Hit in Mini Shai-Hulud Supply Chain Attack Across PyPI, NPM, and PHP
