Researchers discovered that a newly identified phishing framework called ConsentFix v3 is having a direct impact on identity-based attacks in cloud environments after finding its ability to systematically compromise Microsoft Azure accounts using automated OAuth abuse.
The latest iteration combines large-scale social engineering, tenant reconnaissance, and automated token harvesting into a coordinated attack chain designed to bypass conventional security controls. This represents an advanced evolution of previous ConsentFix campaigns.
Attackers can manipulate authentication consent mechanisms and gain persistent access to enterprise environments via OAuth2 exploits that exploit weaknesses in the authorization code flow.
Attackers can manipulate authentication consent mechanisms and gain persistent access to enterprise environments via OAuth2 exploits that exploit weaknesses in the authorization code flow.
Another defining element of the campaign is the use of Pipedream, a serverless integration platform leveraged to automate authorization code collection, refresh token generation, and data exfiltration workflows, significantly improving the scale and operational efficiency of the intrusion process.
Using Azure tenant IDs and profiling employees for targeted impersonation, attackers initiate compromises, as demonstrated by report findings. Phishing infrastructure is deployed across multiple online services to support credential deception, token interception, and long-term account persistence by deploying phishing infrastructure across several online services.
ConsentFix v3 represents a rapid evolution of OAuth-related phishing methodologies. Late last year, Push Security introduced the original ConsentFix technique as a ClickFix-inspired attack targeting Microsoft authentication workflows, which attracted attention.
An early variant of this attack relied heavily on social engineering techniques to trick victims into completing a legitimate Azure CLI login sequence and manually pasting a localhost URL containing an authorization code.
An early variant of this attack relied heavily on social engineering techniques to trick victims into completing a legitimate Azure CLI login sequence and manually pasting a localhost URL containing an authorization code.
In exchange for the code, attackers were able to hijack Microsoft accounts without the use of password theft once they had captured it, effectively bypassing multi-factor authentication by utilizing trusted identity processes rather than exploiting endpoint vulnerabilities.
In order to streamline the phishing chain, researcher John Hammond developed refinements that eventually resulted in ConsentFix v2, which incorporated a drag-and-drop mechanism for the localhost URL instead of manual copy-and-paste interaction. This improved the realism of the deception process and its success rate.
In order to streamline the phishing chain, researcher John Hammond developed refinements that eventually resulted in ConsentFix v2, which incorporated a drag-and-drop mechanism for the localhost URL instead of manual copy-and-paste interaction. This improved the realism of the deception process and its success rate.
ConsentFix v3 continues to weaponize the OAuth2 authorization code flow while abusing Microsoft first-party applications that are already trusted and pre-consented within enterprise environments. This attack model is complemented by enhanced automation, broader scalability, and infrastructure designed to support high volume token interception operations across Azure tenants, while also expanding the attack model.
A systematic operational analysis of ConsentFix v3 indicates that the campaign is organized around a multi-stage intrusion workflow, which maximizes authenticity as well as the efficiency of token acquisition.
Several threat actors report that they conduct extensive reconnaissance on targeted Azure environments, validate tenant identifiers, and aggregate employee intelligence, including corporate e-mail addresses, organizational roles, and identity metadata, in order to support highly tailored impersonation attempts.
Several threat actors report that they conduct extensive reconnaissance on targeted Azure environments, validate tenant identifiers, and aggregate employee intelligence, including corporate e-mail addresses, organizational roles, and identity metadata, in order to support highly tailored impersonation attempts.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: