New ConsentFix attack hijacks Microsoft accounts via Azure CLI www.bleepingcomputer.com/news/secu…
A new variation of the ClickFix attack dubbed ‘ConsentFix’ abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. This new ConsentFix variant was discovered by cybersecurity firm Push Security, which explains that the ConsentFix technique steals OAuth 2.0 authorization codes that can be used to obtain an Azure CLI access token.
A ConsentFix attack starts with the victim landing on a compromised, legitimate website that ranks high on Google Search results for specific terms.
The visitor is shown a fake Cloudflare Turnstile CAPTCHA widget that asks for a valid business email address. The attacker’s script checks this address against a list of intended targets, filtering out bots, analysts, and anyone else not on the target list.
Users who pass this check are shown a page that resembles ClickFix interaction patterns, providing the victim with instructions to verify they are human. These instructions are to click the ‘Sign in’ button on the page, which opens a legitimate Microsoft URL in a new tab. However, this is not your typical Microsoft login prompt, but rather an Azure login page used to generate an Azure CLI OAuth access code.
