ConsentFix v3 Automates Azure OAuth Abuse With Mass Compromise Potential

A new attack framework dubbed ConsentFix v3 has been circulating on underground cybercriminal forums, building on earlier OAuth consent phishing techniques with automation and scaling capabilities designed to compromise Microsoft Azure and Microsoft 365 accounts without ever stealing a password.

The OAuth Consent Phishing Baseline

ConsentFix exploits the legitimate OAuth 2.0 consent flow that Microsoft Azure uses to grant third-party applications access to user data. In a standard attack:

1. The attacker registers a malicious application in Azure.
2. A phishing email or message directs the target to a convincing Microsoft consent prompt.
3. The victim clicks "Accept," unknowingly granting the app delegated access to their mailbox, OneDrive, Teams, SharePoint, or other Microsoft 365 resources.
4. Because the access token is issued through a legitimate Microsoft flow, MFA is bypassed entirely — there is no credential theft and no suspicious login to flag.

This class of attack is particularly insidious because it abuses a normal, expected identity workflow. Endpoint detection tools looking for suspicious sign-in behavior often miss OAuth token abuse, and users have little reason to suspect a consent dialog presented in the context of a familiar Microsoft page.

What ConsentFix v3 Adds

Earlier ConsentFix variants required manual application registration and link crafting, limiting the scale at which an attacker could run campaigns. Version 3 removes those bottlenecks with several new capabilities:

• Automated app registration at scale: Scripts that programmatically register large numbers of Azure applications with varying permission scopes, reducing the manual overhead of each campaign.
• Mass consent URL generation: Automatic generation of tenant-specific OAuth consent links tailored to individual phishing targets, increasing the likelihood of successful authorization.
• Token harvest dashboard: A web-based management interface for collecting, organizing, and exploiting harvested access tokens — allowing operators to rapidly enumerate accessible resources across compromised accounts.
• Legitimacy spoofing: Modules that configure malicious apps to appear as well-known software vendors or internal enterprise tools, reducing the visual red flags that might cause a security-aware user to reject the consent prompt.

The automation substantially lowers the skill threshold required to run a large-scale Azure compromise campaign, potentially extending this attack surface to a broader class of less-sophisticated threat actors.

Who Is Exposed

Any Microsoft 365 or Azure tenant that permits users to consent to third-party application permissions without administrator approval is at risk. Notably, the attack works regardless of MFA configuration — the attacker never obtains the user's credentials and never triggers a login event.

Organizations with permissive user consent settings are especially exposed. By default, many Azure tenants allow users to grant applications permissions classified as low-risk without requiring administrator review, and ConsentFix campaigns specifically target permission scopes that fall within that category while still enabling meaningful data access.

Defense and Mitigation

Microsoft recommends the following controls to reduce OAuth consent abuse risk:

Restrict user consent permissions. In Microsoft Entra ID (formerly Azure AD), navigate to Enterprise Applications > Consent and permissions and set the user consent policy to require admin approval, or restrict consent to apps from verified publishers only.

Enable the admin consent workflow. Rather than blocking all third-party app consent, configure the workflow that allows users to request consent and routes approvals to designated administrators for review.

Audit existing OAuth grants. Regularly review granted permissions in the Entra ID Enterprise Applications portal. Flag applications with broad scopes (mail read/write, files, contacts) that were granted by individual users rather than admins. Revoke permissions for unrecognized or high-risk applications.

Deploy Microsoft Defender for Cloud Apps. Enable OAuth app policies to detect newly consented applications with high-risk permission sets and alert or automatically revoke them.

Apply Conditional Access policies. Restrict which applications can access organizational data based on device compliance, location, and other signals.

Organizations should also consider running a retroactive audit to identify whether ConsentFix v3 or similar OAuth abuse has already occurred — look for unfamiliar Enterprise Applications with user-consented permissions to sensitive scopes.