Researchers reported a new phishing technique, ConsentFix v3, that targets Microsoft Azure accounts by abusing the OAuth2 authorization code flow and trusted first-party Microsoft applications. The attack sends victims through a legitimate Microsoft sign-in process, then tricks them into pasting or dragging a localhost redirect URL containing an authorization code back into a phishing page. Attackers can then exchange that code for tokens, enabling access to Microsoft resources such as email and files without needing the victim’s password and even when MFA is enabled.
The latest variant expands on earlier ConsentFix methods by adding automation and scale through third-party services including Cloudflare Pages for phishing infrastructure and Pipedream for capturing authorization codes, exchanging them for refresh tokens, and collecting stolen tokens; reports also noted use of platforms such as DocSend. The technique also incorporates tenant enumeration and employee impersonation to improve targeting. Defenders were advised that mitigation is challenging because trust in Microsoft first-party apps is built into the architecture, but measures such as token binding, behavioral detections, and restricting app authentication can reduce exposure. Researchers said ConsentFix-style attacks have appeared in real campaigns, although widespread adoption of the v3 variant has not yet been confirmed.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Reporting on ConsentFix v3 stated that ConsentFix-style attacks have been observed in real-world campaigns, although it remained unclear whether the specific v3 variant had been widely adopted by cybercriminals. The disclosure also highlighted mitigations including token binding, behavioral detections, and app authentication restrictions.
Push Security reported a new ConsentFix v3 attack that targets Microsoft Azure by abusing the OAuth2 authorization code flow and trusted first-party Microsoft applications. The variant adds automation and scalability through services such as Pipedream, Cloudflare Pages, and DocSend, enabling token theft without passwords and despite MFA.
Prior versions of the ConsentFix phishing technique were described by Push Security and John Hammond before the newer v3 variant emerged. These earlier variants established the OAuth abuse pattern that ConsentFix v3 later expanded on.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.