🔑 IAM

ConsentFix v3 Automates Azure OAuth Abuse at Scale — MFA-Bypassing Phishing Platform Circulating on Forums

The third iteration of the ConsentFix Azure OAuth phishing toolkit has been observed circulating on cybercriminal forums, adding Pipedream-powered automation to the consent flow abuse technique that allows attackers to gain persistent access to Microsoft 365 tenants without requiring MFA. Enterprise security teams should review conditional access policies governing OAuth app registrations and user consent.

4 min read
#oauth#azure-ad#phishing#mfa-bypass#identity-attack#microsoft-365#conditional-access

A third-generation OAuth phishing toolkit called ConsentFix has been observed circulating on cybercriminal forums, substantially automating the Azure AD / Entra ID consent flow abuse technique that allows attackers to obtain persistent, MFA-bypassing access to Microsoft 365 environments. The platform’s latest iteration integrates Pipedream workflow automation to scale tenant enumeration, consent phishing delivery, and token exfiltration — reducing what was previously a manual, technically demanding attack to an operationally accessible campaign tool.

Microsoft 365 and Entra ID allow users to grant third-party applications access to their accounts via the OAuth 2.0 authorisation code flow. When a user clicks “Accept” on an application consent request, that application receives an OAuth access token scoped to the permissions requested — regardless of whether the user authenticated via MFA. The MFA bypass is not a vulnerability: it is the intended design of OAuth delegation. The attack exploits the trust users place in what appear to be legitimate application consent screens.

Previous ConsentFix iterations required manual setup per target tenant: registering a malicious application in a separate tenant, constructing the phishing URL, and handling token capture manually. ConsentFix v3 removes these friction points via Pipedream automation: the platform handles application registration across multiple attacker-controlled tenants, generates phishing lure URLs, tracks which targets have completed the consent flow, and collects OAuth tokens in a centralised panel accessible via a web interface.

What an Attacker Gains

The permissions ConsentFix v3 typically requests are designed to maximise persistence and data access while remaining below the threshold that prompts admin consent requirements:

  • Mail.Read / Mail.ReadWrite: Full read access to the victim’s email — including historical email, enabling retrospective intelligence gathering
  • Files.Read.All: Access to SharePoint and OneDrive content scoped to the consenting user
  • Calendars.Read: Meeting schedules and attendee information (useful for business email compromise research)
  • offline_access: The token refresh mechanism that keeps access alive indefinitely — tokens can remain valid for months after the initial consent event

Critically, revoking MFA credentials or rotating a user’s password does not invalidate OAuth access tokens unless the token is explicitly revoked in Entra ID. An organisation that investigates a compromise, resets the affected user’s password, and considers the incident resolved may still have an attacker with active OAuth access.

Enterprise Exposure

Microsoft 365 is deployed across virtually all large enterprise environments. The ConsentFix attack surface exists wherever:

  1. Users can register applications or consent to third-party application requests without admin approval
  2. Conditional access policies do not restrict which OAuth applications can receive tokens
  3. OAuth token lifecycle monitoring is not in place — issued tokens persist invisibly unless audited

Many organisations allow user-level consent for low-permission applications (a common default) and lack monitoring for unusual OAuth application registrations or consent events in their Entra ID audit logs.

Detection and Defence

Restrict OAuth consent to approved applications only: In Entra ID → Enterprise Applications → User Settings, set “Users can consent to apps accessing company data on their behalf” to No. Route all app consent requests through admin approval workflows. This is the most effective single control.

Enable Entra ID audit log alerting for consent grants: Configure alerts for Consent to application events in the Entra ID audit log, particularly for applications registered outside your tenant. Review all consent events from the past 90 days.

Revoke suspicious OAuth tokens actively: In Entra ID, review active OAuth grants via the “App registrations” and “Enterprise applications” panels, filtering for applications with offline_access and broad mail/file scopes registered recently. Revoke suspicious grants immediately.

Review conditional access policies for app-based conditions: Microsoft’s Conditional Access now supports application filter conditions — you can restrict which registered applications can receive access tokens. Enforcing this alongside admin-approved app lists reduces the attack surface.

Audit user consent history: Run the Get-MgUserOauth2PermissionGrant PowerShell cmdlet across your user base to enumerate existing OAuth grants. This is often the fastest way to identify pre-existing compromises from earlier ConsentFix campaigns.

The ConsentFix toolkit family has been in active development for over a year, each iteration lowering the operational barrier to MFA-bypassing identity compromise. The v3 release shifts this from a targeted intrusion technique to a mass-scale phishing campaign capability — the Pipedream automation means a single attacker can now run ConsentFix campaigns at a scale previously requiring significant manual effort or team coordination.

Share this article