editorially independent. We may make money when you click on links
to our partners.
Learn More
Security researchers are warning about a new phishing technique that allows attackers to take over Microsoft accounts without stealing passwords or bypassing multi-factor authentication directly.
The attack, known as ConsentFix, exploits implicit trust in Microsoft’s Azure Command-Line Interface (CLI) and relies on subtle user interaction rather than malicious login pages.
This is a “… browser-native ClickFix attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page,” said Push Security researchers.
Who ConsentFix Targets
ConsentFix targets organizations that rely on Microsoft Entra ID, Microsoft 365, and Azure for identity and access management.
Because the attack leverages a first-party Microsoft application that cannot be blocked or removed, compromised accounts may go unnoticed until attackers begin abusing cloud resources or enumerating directory data.
Push Security reports that the campaign is active and selectively targets business users through search-engine poisoning and compromised websites.
By filtering victims based on corporate email addresses, attackers reduce noise and increase the likelihood of successful account takeover.
How the ConsentFix Attack Works
The attack begins when victims are redirected from Google Search results to malicious or compromised websites.
These sites display a fake Cloudflare Turnstile verification designed to look legitimate while collecting email addresses and filtering visitors.
If a user enters a personal email, the site prompts for a business address, ensuring only corporate accounts proceed.
Once a qualifying email is entered, victims are instructed to click a “Sign In” button. This opens a legitimate Microsoft login page in a new browser tab.
If the user is already authenticated, they simply select their account from a dropdown, completing the sign-in without entering credentials.
At this point, the browser redirects to a localhost URL containing an OAuth authorization code associated with the user’s Microsoft account.
The phishing page instructs the victim to copy and paste this URL back into the original site — a seemingly harmless action that completes the OAuth flow.
By pasting the URL, the victim unknowingly grants the attacker access to their account through Azure CLI.
Because Azure CLI is a trusted first-party application, the attacker gains access without passwords, MFA prompts, or phishing-resistant authentication methods such as passkeys.
How Attackers Abuse Azure CLI
Azure CLI is implicitly trusted within Microsoft Entra ID and exempt from standard OAuth consent restrictions applied to third-party applications.
It does not require administrative approval for permission grants and cannot be blocked or disabled by tenant administrators.
These design decisions make Azure CLI a powerful tool for legitimate administrators — and an ideal target for attackers.
Once access is established, adversaries can enumerate Azure Active Directory, access cloud resources, and potentially pivot to other systems without triggering immediate alerts.
The campaign further evades detection by using synchronized IP blocking, selective JavaScript loading, and conditional targeting based on visitor IP addresses.
These measures prevent security researchers and automated scanners from observing the full attack chain through simple URL analysis.
How to Defend Against ConsentFix
ConsentFix-style attacks highlight how identity workflows can be abused even when strong authentication controls are in place.
Defending against these techniques requires deeper visibility into OAuth consent, token usage, and administrative access paths.
- Monitor Azure CLI authentication events and treat unexpected interactive CLI logins as suspicious activity.
- Enable and regularly review AADGraphActivityLogs to detect abnormal directory enumeration and non-interactive logins.
- Restrict Azure CLI access using role-based access control (RBAC) and limit authentication to approved administrators and developers.
- Lock down OAuth app consent by requiring admin approval and regularly reviewing granted application permissions.
- Apply Conditional Access and identity threat detection to OAuth tokens, including device, location, and risk-based controls.
- Reduce exposure by minimizing token lifetimes, enforcing least privilege on API permissions, and performing regular access reviews.
Taken together, these steps help organizations improve visibility into identity activity and reduce the risk of OAuth-based abuse.
Shifting Tactics in Identity Attacks
ConsentFix reflects a broader shift in identity-based attacks, where adversaries abuse trusted applications and convenience-driven workflows instead of directly stealing credentials.
As cloud identity platforms increasingly centralize access to enterprise systems, OAuth permissions and first-party tools have become attractive targets due to their broad access and often lower levels of scrutiny.
This shift underscores the importance of zero-trust principles, which assume no implicit trust and continuously verify access across identities, applications, and workflows.
