Back to Threat List

ConsentFix - Phishing exploit that bypasses Conditional Access

ConsentFix abuses Microsoft OAuth to steal access tokens without credentials or MFA, bypassing conditional access.

Research:

A sophisticated new phishing technique dubbed “ConsentFix” has emerged, representing a dangerous evolution of the “ClickFix” and “FileFix” social engineering tactics. This was initially unveiled by Push Security.

https://pushsecurity.com/blog/consentfix

Summary:

ConsentFix is a browser-native phishing technique that abuses Microsoft’s OAuth sign-in flow to gain access to Microsoft 365 accounts without stealing passwords or triggering MFA, effectively bypassing conditional access by tricking users into completing a legitimate authorisation step for a trusted app, which attackers then use to obtain valid access tokens and maintain access to cloud resources.





The Legitimate Sign-In: If the email is valid, the page triggers a legitimate Microsoft OAuth sign-in flow for a first-party app (typically Azure CLI, App ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). Because these apps are often pre-consented in most tenants, no warning or admin approval prompt appears.

The Capture: After the user signs in, Microsoft redirects the browser to a localhost URL containing an OAuth authorization code. Since no app is listening on the user's local machine, the browser shows an error. The phishing page then social-engineers the user into copying this "error" URL and pasting it back into the phishing site to "fix" the connection.


Unlike traditional phishing that steals passwords or delivers malware, ConsentFix hijacks OAuth authorization codes directly within the browser context. By exploiting the inherent trust in first-party Microsoft applications like Azure CLI, attackers can gain full, persistent access to cloud environments while completely bypassing multi-factor authentication (MFA) and phishing-resistant controls like conditional access.

Remediation Details:

Without automated protection, identifying and stopping a ConsentFix attack depends on users reporting suspicious activity and IT teams responding manually, often after access has already occurred. With Overe, this behaviour is detected automatically and access can be revoked in real time, significantly reducing both risk and response time. The following outlines both approaches.

Without automated protection

  • Speak to the affected user to confirm whether they expected to sign in or were asked to copy or paste a login code from a website, email, or message.
  • If the activity was not expected, manually sign the user out of all active sessions.
  • Reset the user’s password and temporarily block the account if you are unsure what was accessed.
  • Review recent activity to check whether emails, files, or collaboration data were accessed or shared unexpectedly.
  • Look for new devices or connections the user does not recognise and remove them where possible.
  • Reduce future risk by limiting which applications are allowed to connect to your Microsoft environment.
  • Block sign-ins from unusual locations or untrusted devices where possible.
  • Educate users that login or authorisation codes should never be shared, even if the request appears legitimate.

With Overe

  • Overe continuously monitors for unusual sign-in and session behaviour associated with OAuth and token-based attacks.
  • If a ConsentFix-style threat is detected, Overe raises a “Possible Session Hijack” alert and Security teams can be notified immediately by email or in-platform alerts.
  • With Overe, accounts can be automatically blocked while the incident is reviewed, reducing the risk of data exposure.
  • In addition to detection and response, Overe provides a set of security policies designed to harden Microsoft 365 against these attacks, including controls around app access, authorisation behaviour, and risky sign-in patterns.
  • These policies help reduce the likelihood of token abuse occurring in the first place, not just respond after access has been granted.
Example: "OAuth Phishing Attempt"



See exactly how alerts look in Overe in the demo below.

Together, these hardening controls, combined with real-time detection and automated response, help ensure Microsoft 365 remains protected even as attackers shift away from passwords and towards token-based techniques.



If you would like to learn more about this threat, or understand how Overe helps both existing customers and prospective users detect and protect against attacks like ConsentFix and other threats, please contact us for more information

Severity
High
Productivity Impact
Very Low
Fix Estimate
Protected by Overe