A sophisticated new phishing attack technique called “ConsentFix” that combines OAuth consent phishing with ClickFix-style prompts to compromise Microsoft accounts without requiring passwords or multi-factor authentication.
The attack leverages the Azure CLI app to gain unauthorized access to victim accounts.
The ConsentFix attack operates entirely within the browser context, making it difficult for traditional security tools to detect.
Victims are directed to malicious or compromised websites through Google Search results.
These sites contain a fake Cloudflare Turnstile verification that collects email addresses and filters for targeted organizations.
Once a qualifying email is entered, victims are prompted to click a “Sign In” button that opens a legitimate Microsoft login page in a new tab.
If users are already logged into their Microsoft account, they select their account from a dropdown menu.
The browser then redirects to a localhost URL containing an OAuth authorization code associated with the victim’s Microsoft account.
The victim is instructed to copy this localhost URL and paste it back into the phishing page.
This simple copy-paste action grants the attacker full access to the victim’s Microsoft account via Azure CLI.
Effectively circumventing all password-based security measures and phishing-resistant authentication like passkeys.
Why Azure CLI Is Vulnerable
Azure CLI is a first-party Microsoft application implicitly trusted in Entra ID and exempt from standard OAuth consent requirements.
Unlike third-party applications, Azure CLI can request permissions without administrative approval and cannot be blocked or deleted.
This makes it an ideal target for exploitation. The campaign employs sophisticated detection evasion methods, including conditional email-based targeting.
Synchronized IP blocking across multiple compromised sites and selective JavaScript loading based on visitor IP addresses.
These techniques prevent security analysis, making the attack nearly impossible to identify solely through URL-based checks.
PushSecurity urges organizations to monitor Microsoft Azure CLI login events, which should typically be limited to system administrators and developers. Any unusual interactive Azure CLI logins should be investigated.
Security teams should also enable and monitor AADGraphActivityLogs to detect suspicious Azure AD enumeration activity and watch for non-interactive logins from unexpected geographic locations.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
