ConsentFix: A New Phishing Technique Exploiting Azure CLI to Hijack Microsoft Accounts
A sophisticated phishing technique known as ConsentFix has emerged, enabling attackers to compromise Microsoft accounts without the need for passwords or multi-factor authentication. This method combines OAuth consent phishing with ClickFix-style prompts, leveraging the Azure Command-Line Interface (CLI) to gain unauthorized access to user accounts.
Understanding the ConsentFix Attack
The ConsentFix attack operates entirely within the browser, making it challenging for traditional security tools to detect. Victims are typically directed to malicious or compromised websites through manipulated Google Search results. These sites feature a counterfeit Cloudflare Turnstile verification, designed to collect email addresses and filter for targeted organizations.
Once a qualifying email is entered, the victim is prompted to click a Sign In button, which opens a legitimate Microsoft login page in a new tab. If the user is already logged into their Microsoft account, they select their account from a dropdown menu. The browser then redirects to a localhost URL containing an OAuth authorization code associated with the victim’s Microsoft account.
The victim is instructed to copy this localhost URL and paste it back into the phishing page. This seemingly innocuous action grants the attacker full access to the victim’s Microsoft account via Azure CLI, effectively bypassing all password-based security measures and even phishing-resistant authentication methods like passkeys.
Why Azure CLI Is Vulnerable
Azure CLI is a first-party Microsoft application implicitly trusted within Entra ID and exempt from standard OAuth consent requirements. Unlike third-party applications, Azure CLI can request permissions without administrative approval and cannot be blocked or deleted, making it an ideal target for exploitation.
The ConsentFix campaign employs sophisticated detection evasion methods, including conditional email-based targeting, synchronized IP blocking across multiple compromised sites, and selective JavaScript loading based on visitor IP addresses. These techniques prevent security analysis, making the attack nearly impossible to identify solely through URL-based checks.
Recommendations for Organizations
Security experts urge organizations to monitor Microsoft Azure CLI login events, which should typically be limited to system administrators and developers. Any unusual interactive Azure CLI logins should be investigated promptly.
Additionally, security teams should enable and monitor AADGraphActivityLogs to detect suspicious Azure AD enumeration activity and watch for non-interactive logins from unexpected geographic locations.
