ConsentFix: A New OAuth Exploit Bypassing Microsoft Entra Authentication to Steal Authorization Codes
In late 2025, the cybersecurity community identified a sophisticated attack named ConsentFix, which exploits OAuth-based authentication flows to extract authorization codes from Microsoft Entra systems. This method represents an evolution of the ClickFix technique, showcasing how attackers continually refine their strategies to compromise cloud-based authentication without triggering traditional security controls.
Understanding the ConsentFix Attack
ConsentFix operates by crafting malicious Microsoft Entra login URLs targeting the Azure Command-Line Interface (CLI) application and Azure Resource Manager. Attackers disseminate these URLs through phishing campaigns, luring users to compromised websites. Upon visiting such a site, the attack chain initiates, leveraging the OAuth 2.0 authorization code flow—a standard mechanism users encounter when accessing cloud applications.
The process unfolds as follows:
1. User Authentication: The victim authenticates using their legitimate credentials.
2. Redirection to Localhost: Post-authentication, the browser redirects to a localhost address intended for the application to receive the authorization code.
3. Error Page Display: Since no service listens on the localhost, an error page appears.
4. Exposure of Authorization Code: Despite the error, the URL contains the sensitive authorization code.
5. Exploitation via User Interaction: The attacker prompts the user to copy and paste the URL, inadvertently sharing the authorization code.
This technique effectively bypasses Conditional Access policies and device compliance requirements, posing significant risks even to organizations with robust security frameworks.
Detection and Response Strategies
To detect ConsentFix attacks, security teams should monitor Azure sign-in logs for specific patterns:
– Dual Authentication Events: Two authentication events from the same session—one interactive (legitimate user) and one non-interactive (attacker using the stolen code).
– Temporal Proximity: Authorization codes are valid for approximately ten minutes. Correlating events within this window can indicate an attack.
– Session and User ID Matching: Matching SessionIDs, ApplicationIDs, and UserIDs between events can confirm unauthorized access.
– IP Address Discrepancies: Differing IP addresses between the two events suggest separate user and attacker locations.
Advanced detection strategies should filter out legitimate automation scenarios, such as GitHub Codespaces, which complete authentication processes rapidly, distinguishing them from malicious activities.
Broader Implications and Preventative Measures
The emergence of ConsentFix underscores the evolving nature of cyber threats targeting OAuth-based authentication systems. Organizations must adopt proactive measures to mitigate such risks:
– Enhanced User Education: Train users to recognize phishing attempts and avoid interacting with suspicious URLs.
– Strict Access Controls: Implement stringent Conditional Access policies and regularly review device compliance requirements.
– Continuous Monitoring: Utilize advanced monitoring tools to detect anomalies in authentication patterns and respond promptly.
By understanding and addressing the tactics employed in ConsentFix, organizations can bolster their defenses against sophisticated OAuth-based attacks.
