ConsentFix v3 Automates OAuth Phishing to Hijack Azure Tokens, Bypassing MFA
What Happened — A new automated attack chain called ConsentFix v3 is being sold on hacker forums. It abuses the OAuth 2.0 authorization‑code flow to steal Azure AD access and refresh tokens, even when multi‑factor authentication (MFA) is enabled. The workflow is fully automated via Pipedream webhooks, Cloudflare Pages phishing sites, and disposable email accounts.
Why It Matters for TPRM —
- Enables large‑scale credential theft from Azure tenants, compromising any downstream SaaS or cloud service that trusts Azure AD.
- Bypasses MFA, a control many third‑party risk assessments treat as a baseline defense.
- Automation lowers the barrier for opportunistic attackers, increasing the likelihood of widespread exposure.
Who Is Affected — Enterprises and MSPs that rely on Azure AD for identity, SaaS vendors built on Azure, and any third‑party that consumes Azure‑issued tokens.
Recommended Actions — Review and tighten Azure AD conditional‑access policies, restrict OAuth consent to vetted applications, monitor for abnormal token issuance, disable legacy OAuth grant types, and run phishing‑simulation training focused on OAuth‑based lures.
Technical Notes — Attack vector: phishing (malicious OAuth login page) combined with automation (Pipedream webhook that instantly exchanges captured authorization codes for refresh tokens). No public CVE; the abuse leverages legitimate Microsoft APIs. Compromised data includes access/refresh tokens that grant full account control. Source: BleepingComputer