ConsentFix Attack Hijacks Microsoft Accounts via Azure CLI

A newly identified phishing campaign, known as the ConsentFix attack, is successfully compromising Microsoft accounts by exploiting the legitimate Azure CLI OAuth application. This method allows threat actors to gain full access without ever needing a victim’s password or having to defeat multi-factor authentication (MFA) protections. The technique represents a sophisticated evolution of earlier social engineering schemes, posing a significant risk to organizations and individuals relying on Microsoft’s ecosystem.

This specific variant, uncovered by cybersecurity researchers, manipulates the standard OAuth 2.0 authorization flow used by the Azure Command-Line Interface (CLI). Attackers deceive users into initiating and completing this authentication process themselves, after which they steal the resulting authorization code. That code is then exchanged for a powerful access token, granting the attacker control over the associated Microsoft account. The entire scheme cleverly bypasses traditional credential theft and MFA challenges.

The attack begins when a potential victim visits a legitimate website that has been compromised. These sites often rank highly in search engine results for specific technical or business terms. Upon arrival, the user encounters a counterfeit Cloudflare Turnstile CAPTCHA widget. This widget requests a valid business email address, which the attacker’s script immediately checks against a predefined target list. This step effectively filters out security researchers, automated bots, and individuals who are not the intended marks.

Users whose email addresses match the target list are then presented with a page mimicking a ClickFix-style interaction. The instructions inform the victim that they must verify they are human to proceed. They are told to click a ‘Sign in’ button, which genuinely opens a new browser tab to an official Microsoft URL. Crucially, this is not a standard account login page but the specific Azure login portal used to generate an OAuth code for the Azure CLI tool.

If the user is already logged into their Microsoft account in the browser, they may only need to select their profile. Otherwise, they authenticate normally on Microsoft’s legitimate login page. Following successful authentication, Microsoft redirects the browser to a localhost address. The URL in the address bar at this moment contains the critical Azure CLI OAuth authorization code linked to the user’s account.

The final phase of the phishing attempt instructs the user to copy this entire URL from the address bar and paste it back into the original malicious webpage. By following these directions, the victim unknowingly hands the authorization code directly to the attackers. With this code, the threat actors can obtain an access token, achieving effective control of the victim’s Microsoft account. Notably, if the user had an active session, no login credentials were even entered during this process.

To avoid raising suspicion, the attack is designed to trigger only once per victim IP address. If a targeted individual returns to the phishing page, the initial CAPTCHA check will not reappear. For defenders, vigilance is key. Security teams should monitor for anomalous Azure CLI login events, such as authentications originating from unfamiliar IP addresses. Additionally, scrutinizing activity related to legacy Graph API permissions is advised, as attackers may intentionally use these older scopes to blend in and evade security monitoring tools.

(Source: Bleeping Computer)