VYPR
researchPublished May 2, 2026· Updated May 17, 2026· 1 source

ConsentFix v3 Automates OAuth Phishing Attacks Against Azure Users

A sophisticated new phishing technique known as ConsentFix v3 is circulating on hacker forums, enabling attackers to automate the theft of OAuth tokens and hijack Microsoft Azure accounts while bypassing multi-factor authentication.

A new iteration of OAuth-based phishing, dubbed ConsentFix v3, has emerged on hacker forums, offering attackers an automated and scalable method to hijack Microsoft Azure accounts. This technique builds upon previous versions of the attack, which exploit the OAuth2 authorization code flow to trick users into granting access to their accounts, effectively bypassing multi-factor authentication (MFA) BleepingComputer.

The attack mechanism relies on abusing the trust Microsoft places in its own first-party applications. By leveraging social engineering, attackers direct victims to a deceptive page that mimics a legitimate Microsoft or Azure login interface. When the victim interacts with this page, they are prompted to perform an action—such as dragging or pasting a localhost URL—that contains an OAuth authorization code. This code is then sent to a backend automation engine, typically hosted on platforms like Pipedream, which immediately exchanges the code for a refresh token BleepingComputer.

ConsentFix v3 distinguishes itself from its predecessors through its focus on automation and infrastructure integration. Attackers use harvested employee data to create highly personalized phishing emails, often embedding malicious links within PDFs hosted on services like DocSend to evade spam filters. Once the authorization code is captured, the Pipedream-based backend automates the token exchange and exfiltration, allowing attackers to import the stolen tokens into tools like the Specter Portal to gain unauthorized access to the victim's Microsoft environment, including emails and files BleepingComputer.

The impact of this attack is significant because it targets the architectural trust inherent in Microsoft’s Family of Client IDs (FOCI), which allows applications to share permissions and refresh tokens. Because the attack exploits legitimate OAuth flows, it is difficult to detect through traditional security measures. Push Security, which has tracked the evolution of ConsentFix, notes that the success of the attack depends on the specific permissions and tenant settings of the compromised account BleepingComputer.

Mitigating the risks posed by ConsentFix v3 is challenging due to the nature of the vulnerability. However, administrators are encouraged to implement defensive measures such as applying token binding to trusted devices, establishing behavioral detection rules to identify anomalous login patterns, and enforcing stricter application authentication policies BleepingComputer.

The emergence of ConsentFix v3 highlights a broader trend of threat actors refining their phishing techniques to incorporate automation and serverless infrastructure. By moving away from manual exploitation to more streamlined, scalable attack chains, adversaries are increasing the efficiency of their operations. Security teams should remain vigilant, as these methods continue to evolve to bypass standard identity-based protections.

Synthesized by Vypr AI