Meet Consentfix New Twist. Phishing Attacks: New ConsentFix Scam Captures OAuth Tokens Meet ConsentFix, a sophisticated phishing attack that continues to evolve and capture OAuth authentication tokens for Microsoft logins, rend
dering traditional security tools ineffective.
What is ConsentFix?
- ConsentFix is a phishing attack that takes place entirely within a browser, making it difficult for standard security tools to detect.
- The attack starts when a victim visits a legitimate, but compromised website that has been targeted by threat actors.
- The compromised website displays a fake Cloudflare CAPTCHA-like verification page, asking the victim to enter their business email address to prove they’re human.
- Upon entering their email address, a Microsoft login page appears, containing a legitimate URL based on the victim’s email address. This URL includes an OAuth token, which the victim is asked to copy and paste into a field to verify their humanity.
- The threat actor then captures the OAuth token, granting them access to the victim’s Microsoft account via Azure’s command line interface.
How Does ConsentFix Work?
ConsentFix uses two tactics favored by threat actors: obedience (cut and paste this URL) and trust (this looks like a Microsoft login page), preying on employees who trust first-party applications and are unaware of the risks associated with OAuth token capture.
Why is ConsentFix a Concern?
- ConsentFix highlights the dangers of implicit trust in first-party applications and legacy OAuth scopes.
- The attack exploits outdated permission sets within Microsoft Entra ID, granting broad access and enabling attackers to enumerate directory data.
- The use of advanced detection evasion techniques makes ConsentFix difficult to investigate, resulting in undetected attacks.
What Can Organizations Do to Prevent ConsentFix?
- Implement robust monitoring to detect and prevent OAuth token capture attacks.
- Strengthen consent governance by limiting the use of legacy OAuth scopes and tightening consent processes for all applications.
- Deploy browser-based security measures to enhance overall identity security posture.
- Provide comprehensive security awareness training to employees, focusing on explaining attacks, how they work, and how to recognize them.
By enhancing their security posture and adopting these strategies, organizations can substantially reduce the risk of unauthorized access resulting from OAuth consent abuse.
For more information on ConsentFix and how to protect yourself, please visit https://pushsecurity.com/blog/consentfix/.
