ConsentFix v3: How Attackers Automate Azure OAuth Abuse

ConsentFix v3 represents a sophisticated evolution in Phishing and identity-based attacks targeting Microsoft Azure environments. According to Bleeping Computer, this tool automates the process of creating malicious OAuth applications and tricking users into granting them permissions, a technique known as an illicit consent grant. Unlike traditional credential theft, this TTP often bypasses multi-factor authentication (MFA) because the victim authenticates directly with Microsoft’s legitimate identity provider before authorizing the third-party application.

Technical Analysis of Automated Microsoft Azure OAuth Exploitation

The core of the ConsentFix v3 methodology lies in the architectural abuse of the OAuth 2.0 authorization framework. The tool is being marketed on underground forums like XSS as a solution to automate Microsoft Azure OAuth exploitation by deploying applications that request high-privilege scopes. Common requested permissions include Mail.Read, Notes.Read.All, and Files.ReadWrite.All, which grant the attacker programmatic access to the victim’s entire Microsoft 365 suite.

When a victim clicks a malicious link, they are directed to the official Microsoft login portal. Because the login process itself is legitimate, the user’s credentials are not stolen in the traditional sense; instead, the user is prompted to consent to an application. Once the user clicks ‘Accept,’ the attacker’s C2 server receives an access token and a refresh token. This allows the APT or cybercriminal actor to maintain persistent access even if the user changes their password, as long as the application remains authorized in the tenant.

Persistence and Stealth

Because this method does not rely on stolen passwords, it effectively circumvents many EDR protections that focus on endpoint-based credential harvesting. The malicious activity takes place at the API layer, specifically via Microsoft Graph. For defenders, this means that telemetry must be captured at the identity provider level rather than just the workstation. Without proper SIEM integration and monitoring of Entra ID (formerly Azure AD) logs, these illicit grants can remain active for months, providing a silent pipeline for data exfiltration.

How to detect ConsentFix v3 OAuth abuse

Detecting automated OAuth abuse requires a shift toward identity-centric security monitoring. SOC analysts should prioritize the following indicators within their environment:

• New Multi-Tenant Applications: Monitor for the registration or authorization of new multi-tenant applications that have not been vetted by internal IT.
• Low-Trust Publishers: Use the Entra ID portal to identify apps with no verified publisher status that have been granted access to sensitive data.
• High-Volume Graph API Activity: Track sudden spikes in Microsoft Graph API calls originating from a single application, which often indicates automated data harvesting.

Following MITRE ATT&CK framework guidance, defenders should specifically look for evidence of token theft or unauthorized application delegation. Implementing a Zero Trust architecture is a fundamental component of Azure Entra ID illicit consent grant mitigation, ensuring that no application is granted access simply because it is requested by an authenticated user.

Recommended Mitigation Strategies

To defend against the scaling threat of ConsentFix v3, organizations must implement technical controls that prevent automated exploitation at the source.

1. Disable User-Led Consent: Navigate to the Entra ID portal and restrict the ability for users to grant consent to unverified applications. This is the single most effective way to prevent this attack vector.
2. Enable Admin Consent Workflows: Configure a process where users must request administrator approval before an application can access tenant data. This allows security teams to inspect the requested permissions before they are granted.
3. Audit Existing Grants: Use PowerShell or the Entra ID portal to perform a comprehensive audit of all existing OAuth grants. Remove any applications that have broad scopes or are no longer in use to prevent Lateral Movement via compromised identity tokens.
4. Enhanced User Education: Train employees to recognize that even legitimate Microsoft login prompts can lead to security breaches if the subsequent consent screen requests unexpected permissions.