Executive Summary
ConsentFix v3 represents a significant escalation in the automation and sophistication of OAuth abuse targeting Microsoft Azure and Entra ID environments. This attack toolkit leverages advanced social engineering, browser-native phishing, and automated backend infrastructure to bypass Multi-Factor Authentication (MFA) and Conditional Access controls, enabling persistent unauthorized access to cloud resources. The toolkit is now widely available on criminal forums, with evidence of both state-sponsored and cybercriminal adoption. Organizations relying on Microsoft 365, Azure, and related cloud services are at heightened risk, as attackers exploit OAuth consent flows to hijack accounts and maintain long-term access to sensitive data and services.
Threat Actor Profile
The primary actors behind ConsentFix v3 attacks are a blend of sophisticated state-sponsored groups and opportunistic cybercriminals. Early campaigns have been attributed to APT29 (Cozy Bear), a Russian state-affiliated threat group known for targeting government and enterprise cloud environments. The toolkit’s release on the XSS criminal forum has democratized access, enabling a broader spectrum of actors, including financially motivated cybercriminals, to launch highly effective OAuth abuse campaigns. These actors demonstrate advanced operational security, leveraging cloud-native infrastructure such as Cloudflare Workers, Dropbox, and Pipedream for payload delivery and exfiltration, and are adept at rapidly iterating their techniques in response to defensive measures.
Technical Analysis of Malware/TTPs
ConsentFix v3 automates the exploitation of OAuth authorization flows, specifically targeting first-party Microsoft applications with known Conditional Access exclusions and FOCI (Family of Client IDs) support. The attack chain typically begins with a phishing lure delivered via email, SEO-poisoned search results, or malicious ads. Victims are directed to a phishing site that mimics legitimate Microsoft login workflows. The site instructs users to copy and paste a legitimate Microsoft OAuth URL—often generated for trusted apps like Azure CLI—into the phishing interface.
Upon submission, the phishing site captures the OAuth authorization code embedded in the URL. An automated backend, frequently orchestrated via Pipedream webhooks, exchanges this code for access and refresh tokens using Microsoft’s token endpoint. These tokens grant the attacker persistent API access to the victim’s account, bypassing MFA, device compliance, and many Conditional Access policies. The attacker can then access Outlook, Teams, OneDrive, SharePoint, and other Microsoft 365 services, and may escalate privileges using FOCI or Primary Refresh Token (PRT) techniques.
The toolkit’s automation extends to campaign management, persona creation, and email crafting, enabling large-scale, targeted attacks with minimal manual intervention. Infrastructure is often ephemeral, leveraging Cloudflare Workers for hosting, Dropbox for payload storage, and SpecterPortal for post-exploitation activities. The use of browser-native phishing techniques and localhost redirect URIs makes detection and prevention particularly challenging.
Exploitation in the Wild
Active exploitation of ConsentFix v3 has been observed since late 2025, with initial campaigns attributed to APT29 targeting government and enterprise Microsoft tenants. Subsequent campaigns by groups such as Storm-2372 have employed similar OAuth abuse techniques, including device code phishing. The public release of the toolkit on the XSS forum has led to rapid adoption by cybercriminals, with guides and walkthroughs circulating widely. Victims span a range of sectors, including government, enterprise, cloud service providers, and SaaS-heavy organizations, primarily in the United States, United Kingdom, European Union, and other regions with significant Azure/Entra ID deployments.
Indicators of compromise include OAuth consent grants for first-party Microsoft apps, unusual OAuth token exchanges, mismatched IP addresses between initial login and subsequent API activity, and the presence of infrastructure such as custom Cloudflare Workers domains, Dropbox links, and Pipedream webhook URLs in network logs.
Victimology and Targeting
The primary targets of ConsentFix v3 attacks are organizations with extensive reliance on Microsoft Azure, Entra ID, and Microsoft 365 services. High-value sectors include government agencies, large enterprises, cloud service providers, and organizations with complex Conditional Access policies or broad OAuth app registrations. Attackers often use open-source intelligence and SaaS tools to identify and profile potential victims, crafting highly convincing phishing lures tailored to specific roles or departments. The attack is particularly effective against users with elevated privileges or those excluded from certain Conditional Access controls, such as IT administrators and DevOps personnel.
Mitigation and Countermeasures
To defend against ConsentFix v3 and similar OAuth abuse campaigns, organizations should implement a multi-layered approach:
Restrict access to vulnerable first-party applications by creating Service Principals for apps like Azure CLI, Microsoft Authentication Broker, Teams, Outlook, SharePoint, OneDrive, and Microsoft Graph, and limiting user access to only those who require it. Enforce strict Conditional Access policies, including device compliance and token protection, to bind access tokens to specific devices or sessions. Conduct regular log analysis to identify suspicious OAuth consent grants, unusual token exchanges, and mismatched IP addresses. Monitor for known indicators of compromise, including custom Cloudflare Workers domains, Dropbox payload links, and Pipedream webhook URLs. Enhance user awareness through targeted training on OAuth consent phishing, emphasizing the risks of copy-pasting URLs into unfamiliar sites and recognizing browser-native phishing techniques. Deploy browser security solutions capable of detecting DOM-level phishing kits, such as those offered by Push Security. Regularly review and revoke active sessions for users exhibiting signs of compromise, and incorporate real-world ConsentFix scenarios into phishing simulations to improve resilience.
References
Push Security: ConsentFix v3 Analysis, Mitiga: ConsentFix OAuth Phishing Explained, Reddit: New ConsentFix attack hijacks Microsoft accounts via Azure CLI, MITRE ATT&CK: T1556.003, XSS Forum Leak (via Push Security).
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools and intelligence to identify, assess, and mitigate cyber threats across their digital supply chain. Our platform empowers security teams to proactively manage risk, streamline vendor assessments, and respond rapidly to emerging threats. For questions or further analysis, we are happy to assist at ops@rescana.com.
