A sophisticated new phishing technique dubbed “ConsentFix” has emerged, representing a dangerous evolution of the “ClickFix” and “FileFix” social engineering tactics. This was initially unveiled by Push Security.
https://pushsecurity.com/blog/consentfix
ConsentFix is a browser-native phishing technique that abuses Microsoft’s OAuth sign-in flow to gain access to Microsoft 365 accounts without stealing passwords or triggering MFA, effectively bypassing conditional access by tricking users into completing a legitimate authorisation step for a trusted app, which attackers then use to obtain valid access tokens and maintain access to cloud resources.
The Legitimate Sign-In: If the email is valid, the page triggers a legitimate Microsoft OAuth sign-in flow for a first-party app (typically Azure CLI, App ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). Because these apps are often pre-consented in most tenants, no warning or admin approval prompt appears.
The Capture: After the user signs in, Microsoft redirects the browser to a localhost URL containing an OAuth authorization code. Since no app is listening on the user's local machine, the browser shows an error. The phishing page then social-engineers the user into copying this "error" URL and pasting it back into the phishing site to "fix" the connection.
Unlike traditional phishing that steals passwords or delivers malware, ConsentFix hijacks OAuth authorization codes directly within the browser context. By exploiting the inherent trust in first-party Microsoft applications like Azure CLI, attackers can gain full, persistent access to cloud environments while completely bypassing multi-factor authentication (MFA) and phishing-resistant controls like conditional access.
While user awareness is important, recent studies on the likelihood of California based healthcare professionals found that how recently they had undertaken phishing training was not a good corollate with how likely they were to be victims of these kinds of attacks. So what can you do?
Overe ITDR capabilities monitors the audit log for suspicious patterns of behaviour like this. In the case of a ConsentFix breach, Overe will create an Alert - ' Possible Session Hijack' which can generate an email notification, or you can use our real-time Auto-Response capabilities to automatically revoke the session for the impacted user or even block their account entirely. This extra layer of defence is critical in the evermore retroactive world of cybersecurity.
See exactly how alerts look in Overe in the demo below.
Initial Investigation : Push Security
