A New Threat in the Cybersecurity Landscape: ConsentFix
In the rapidly evolving world of cybersecurity, staying ahead of emerging threats is crucial. Recently, a new attack technique called ConsentFix has surfaced, posing a significant danger to Microsoft account holders. This technique, discovered by Push Security, combines social engineering with OAuth consent phishing to hijack accounts, bypassing identity-layer controls and evading detection.
How ConsentFix Works
ConsentFix prompts victims to share an OAuth authorization code with an attacker via a phishing page. The attacker then uses this code to take over the account by completing the authorization handshake on their own device. This method allows attackers to bypass passwords, MFA, and even phishing-resistant authentication methods like passkeys.
Implications for North East India and Beyond
The ConsentFix attack is a reminder of the constant need for vigilance in the digital realm. As more businesses in North East India and across India transition to cloud-based services, the risk of such attacks increases. Organizations must prioritize security measures to protect their digital assets and maintain customer trust.
The Danger of ConsentFix
What makes ConsentFix particularly dangerous is its ability to target first-party Microsoft apps that cannot be restricted in the same way as third-party applications. Attackers also leverage legacy scopes outside the scope of default logging to evade detection and target scopes with known Conditional Access policy exclusions. This means that many organizations' expected controls may not work as intended in this case.
The ConsentFix Campaign
The ConsentFix campaign was implemented through a phishing page that required victims to verify their humanity by pasting a URL into the page. After clicking the Sign In button, victims were redirected to a legitimate Microsoft login page, and upon selecting their account, they were redirected to a localhost URL containing an OAuth authorization code, which they then posted into the original phishing page to complete the attack.
Future Predictions and Recommendations
Given the speed at which new iterations of the ConsentFix technique are being shared, it is likely that red teams and criminals will adopt this method into their arsenal of TTPs in the near future. All security teams responsible for protecting Microsoft environments should ensure that monitoring controls and mitigations are put in place as a matter of high priority.