ConsentFix v3: Automated OAuth Abuse Targets Azure

Security researchers have flagged a new iteration of the consent‑phishing tool known as ConsentFix, now labeled v3, which dramatically expands the scale and automation of attacks against Microsoft Azure Active Directory (Azure AD) environments. First observed on several closed‑forum postings, the updated toolkit builds on an earlier method that relied on tricking users into granting OAuth permissions to a malicious application. ConsentFix v3 adds a scripted workflow that can provision rogue Azure AD apps, generate phishing pages, and harvest access and refresh tokens without manual intervention, effectively turning a once‑manual operation into a turn‑key credential‑harvesting service. Technically, the attack chain begins with the adversary registering an application in a target tenant or using a compromised partner account to create a multi‑tenant app. The app is configured with the high‑privilege scopes offline_access, openid, profile, and email, and points its redirect URI to an attacker‑controlled endpoint. A specially crafted HTML page, often mimicking a legitimate SaaS login, is hosted and distributed via spear‑phishing or malicious links. When a victim authenticates and consents, the app receives a short‑lived access token for the Microsoft Graph API and a long‑lived refresh token. ConsentFix v3 includes a PowerShell module that automatically redeems the refresh token on a configurable interval, queries Graph for mailbox, OneDrive, and Teams data, and exfiltrates the results to an external endpoint. To accelerate mass exploitation, the toolkit leverages Azure Lighthouse for cross‑tenant delegation, allowing a single control panel to orchestrate token theft across multiple organizations simultaneously. Microsoft’s security guidance recommends disabling end‑user consent for applications that request high‑risk permissions and enforcing Conditional Access policies that require phishing‑resistant authentication for OAuth app registration. Azure AD sign‑in logs should be monitored for anomalous consent events, such as a new app receiving offline_access scope from an unfamiliar IP. Cloud‑native defenses like Microsoft Defender for Cloud Apps and Azure AD Identity Protection can detect the irregular Graph API calls and token redemption patterns typical of ConsentFix v3. Organizations are also advised to audit existing OAuth applications, revoke any that appear unused, and educate users about the risks of granting consent to unverified apps.