# ConsentFix v3: How Attackers Are Automating Azure OAuth Compromise at Scale


A sophisticated attack campaign dubbed ConsentFix v3 is leveraging automated techniques to abuse OAuth consent flows in Microsoft Azure environments, marking a significant escalation in cloud-targeted threats. The campaign uses a combination of compromised credentials, automated exploitation tools, and consent-based phishing to gain persistent access to organizational cloud infrastructure without triggering traditional security alerts.


Security researchers have identified the attack as particularly dangerous because it exploits the trust mechanisms built into Azure's OAuth authentication system—mechanisms that are typically considered security best practices.


## The Threat: How ConsentFix v3 Works


ConsentFix v3 represents the third iteration of a family of attacks that weaponize Azure's OAuth consent framework. The attack chain typically unfolds as follows:


Initial Access:

  • Attackers obtain Azure user credentials through phishing, credential stuffing, or leaked credentials from other breaches
  • Credentials often target accounts with higher privilege levels or less-monitored activity patterns

    • Automated OAuth Exploitation:

  • Once initial access is gained, ConsentFix v3 deploys automated scripts that systematically scan for installed applications and integrations within the target Azure tenant
  • The malicious scripts identify applications that lack proper consent verification or have overly permissive scopes
  • Attackers create rogue applications disguised as legitimate Microsoft services or common third-party integrations

    • Persistent Access via Consent Abuse:

  • Rather than stealing tokens directly, ConsentFix v3 manipulates users into granting consent to malicious applications
  • These applications are often designed to mimic legitimate updates, security tools, or productivity services
  • Once consent is granted, the attacker gains OAuth tokens that provide sustained access to Azure resources—including Exchange Online, SharePoint, Teams, and other critical services

    • Evasion Mechanisms:

  • The attack uses legitimate-looking redirect URIs and application names
  • Consent requests often target non-security-conscious users or those in high-volume environments where they're less likely to be scrutinized
  • The automated nature allows attackers to quickly pivot to high-value targets once initial footholds are established

    • ## Background and Context: Why OAuth Is Under Attack


    OAuth 2.0 is the industry standard for delegated authentication and authorization. It was designed to allow users to grant applications access to their data without sharing passwords. However, this design—which is a strength in normal circumstances—becomes a vulnerability when attackers can manipulate the consent process.


    Azure's OAuth Ecosystem:

  • Microsoft Azure hosts millions of applications across thousands of organizations
  • Enterprise tenants often have dozens or hundreds of third-party applications with varying levels of vetting
  • The consent flow is designed to be user-friendly, which can sometimes override security vigilance

    • Why Attackers Target OAuth:

  • OAuth tokens bypass traditional perimeter security measures
  • Once granted, consent-based access is extremely difficult to detect or revoke at scale
  • The attack is invisible to many security monitoring tools that focus on network traffic rather than API authentication
  • Unlike password theft, compromised OAuth tokens don't require repeated re-authentication or raise immediate account lockout alerts

    • This represents a fundamental shift in cloud attack strategies. Rather than compromising systems through infrastructure vulnerabilities, modern adversaries are exploiting trust and authentication mechanisms.


    ## Technical Details: The ConsentFix v3 Automation


    Reconnaissance Phase:

    The attack begins with reconnaissance scripts that enumerate the target Azure tenant:

  • Graph API queries to identify installed applications and their permission scopes
  • Analysis of user activity patterns to identify high-value targets or overly permissive environments
  • Mapping of administrative roles and security group memberships

    • Application Crafting:

    Malicious applications are created with:

  • Spoofed display names matching legitimate Microsoft services or well-known third-party tools
  • Rewritten redirect URIs that appear official but actually send tokens to attacker-controlled infrastructure
  • Requested OAuth scopes designed for maximum access with minimal suspicion (e.g., "User.Read," which appears innocuous but can be chained with other permissions)

    • Consent Manipulation:

    The automation includes several techniques:

  • Targeted phishing: Sends consent prompts to specific users identified as less likely to question authorization requests
  • Scope creep: Requests appear to ask for limited access but grant tokens with broader permissions
  • Timing-based attacks: Sends consent prompts during high-activity periods when users are less likely to review carefully
  • Believable error messages: Some variants simulate Azure warnings or IT alerts to create urgency

    • Persistence and Exfiltration:

    Once consent is granted:

  • Attacker-controlled applications receive refresh tokens that maintain access for weeks or months
  • Access tokens are used to query sensitive data (email, documents, user lists)
  • Applications can be used as a relay point for further lateral movement within the tenant
  • Multi-factor authentication (MFA) is bypassed entirely because the consent-based access is legitimate from OAuth's perspective

    • ## Implications for Organizations


    Scale of the Threat:

    Organizations using Azure are particularly vulnerable if they:

  • Have not implemented strict application consent policies
  • Rely primarily on password-based authentication without robust MFA
  • Lack comprehensive logging and alerting on OAuth token issuance
  • Permit users to install arbitrary applications from the Microsoft Store or third-party galleries

    • Business Impact:

  • Data exfiltration: Attackers gain access to email, documents, and shared resources
  • Compliance violations: Unauthorized access to regulated data (HIPAA, GDPR, CCPA) can trigger reporting requirements
  • Reputational damage: Breach disclosure erodes customer trust
  • Lateral movement: Compromised tokens can be used to access connected systems and services
  • Regulatory fines: Some organizations face significant penalties for inadequate OAuth security controls

    • Detection Challenges:

    ConsentFix v3 is particularly difficult to detect because:

  • OAuth token usage looks identical to legitimate application access
  • Standard SIEM tools may not flag application creation or consent grants
  • Many organizations lack detailed logging of OAuth events
  • The attack doesn't trigger network-based security signatures

    • ## Recommendations: Defending Against ConsentFix v3


    Immediate Actions:


    | Priority | Action | Details |

    |----------|--------|---------|

    | Critical | Audit consented applications | Review all third-party app permissions; revoke unused or suspicious apps |

    | Critical | Enforce application consent policies | Restrict who can grant consent; require admin approval for new applications |

    | High | Implement Conditional Access rules | Block unknown applications; require MFA for application consent |

    | High | Enable detailed OAuth logging | Capture application creation, consent events, and token issuance |


    Technical Controls:


  • Implement Zero Trust for applications: Verify every application request, not just user authentication
  • Use Microsoft Cloud App Security (MCAS): Monitor and alert on suspicious application behavior and OAuth token usage
  • Deploy advanced threat protection: Enable threat detection for anomalous token issuance patterns
  • Restrict application creation: Limit which users can create applications in Azure AD
  • Require admin consent: Configure Azure AD to require explicit admin approval for all application permissions

    • Operational Best Practices:


  • Regular audits: Perform quarterly reviews of installed applications and their permissions
  • User awareness: Train employees to recognize suspicious authorization prompts and verify application legitimacy
  • Credential hygiene: Implement strong password policies and enforce passwordless authentication where possible
  • Incident response planning: Develop specific response procedures for compromised OAuth credentials

    • ## Conclusion


    ConsentFix v3 demonstrates how attackers are evolving their tactics to exploit cloud-native security mechanisms. By automating OAuth abuse, adversaries can scale their attacks across multiple organizations while remaining largely invisible to traditional security tools.


    Organizations must move beyond credential-based security and implement comprehensive Azure security postures that monitor and control application permissions. The stakes are high: a successful ConsentFix v3 compromise can grant attackers persistent access to an organization's most sensitive cloud resources.


    The time to strengthen Azure OAuth security controls is now—before these automated attacks become a widespread reality.