ConsentFix Attack Lets Hackers Take Over Microsoft Accounts via Azure CLI

Security researchers at Push Security have uncovered a sophisticated phishing campaign, “ConsentFix,” that compromises Microsoft accounts by exploiting OAuth consent mechanisms and abusing the Azure CLI.

The attack bypasses both password requirements and multi-factor authentication (MFA) protections, representing a dangerous evolution in cloud-focused threat tactics.

The Attack Mechanism

ConsentFix operates entirely in the browser context, leveraging OAuth token manipulation rather than traditional credential theft.

The attackers target victims via malicious links in Google Search results that point to compromised legitimate websites with high domain reputation.

This delivery method effectively bypasses conventional email-based anti-phishing controls that organizations typically deploy.

The campaign uses a sophisticated multi-stage workflow. Initially, victims encounter a fake Cloudflare Turnstile CAPTCHA designed to filter targets and verify email addresses against approved target lists.

The infrastructure implements IP-based blocking across all domains, preventing security researchers from accessing the phishing infrastructure and limiting exposure to unauthorized individuals.

Once victims pass the initial verification, they are directed to legitimate Microsoft login pages. If users maintain active Microsoft sessions, they can authenticate without entering credentials.

The critical exploitation phase occurs when victims are redirected to a localhost URL containing an OAuth authorization code.

Through social engineering, attackers trick victims into copying and pasting this URL into a phishing page, establishing an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance, granting full account access without compromising passwords or triggering MFA alerts.

Azure CLI is an ideal attack vector because it is a first-party Microsoft application implicitly trusted across all Entra ID tenants.

Unlike third-party applications, which are subject to strict consent policies and can be deleted or blocked, Azure CLI cannot be revoked and automatically receives special permissions, including tenant-wide service permissions, legacy graph scopes, and Office administrator function access.

This inherent trust significantly amplifies the effectiveness of attacks compared to third-party application phishing campaigns.

The campaign employs advanced evasion techniques, including synchronized IP blocking, conditional JavaScript loading based on user identifiers, and selective targeting mechanisms that render traditional URL-based detection largely ineffective.

Researchers identified phishing domains, including trustpointassurance.com, fastwaycheck.com, and previewcentral.com, whose IP addresses originated in the United States and Indonesia.

Microsoft logs indicate that Azure CLI exploitation generates distinct login events with suspicious resource access patterns, particularly for Windows Azure Active Directory and Microsoft Intune resources accessed from anomalous IP addresses.

Organizations should implement enhanced monitoring of these indicators and conduct user education on the inherent risks of OAuth consent in browser-based attacks targeting cloud authentication systems.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Update

The post ConsentFix Attack Lets Hackers Take Over Microsoft Accounts via Azure CLI appeared first on Cyber Security News.