ConsentFix: How a Clever OAuth Attack Took Over Microsoft Accounts via Azure CLI in 2024
Executive Summary
In June 2024, a new variation of the previously-identified ClickFix attack emerged—dubbed 'ConsentFix'—targeting organizations using Microsoft Azure. Threat actors leveraged social engineering to manipulate users into granting malicious OAuth permissions via the Azure CLI tool, resulting in full account compromise without requiring user passwords or bypassing multi-factor authentication (MFA). By tricking victims into executing crafted Azure CLI commands, attackers could hijack Microsoft accounts, potentially leading to widespread access to sensitive data, misconfiguration, or further lateral movement within affected cloud environments.
This attack highlights the growing sophistication of consent phishing and the increased abuse of cloud automation tools, stressing the urgent need for organizations to review OAuth permission flows and harden identity-driven security controls. Rapid evolution in attacker tactics underscores critical risks within cloud access management and the threat landscape.
Why This Matters Now
Consent-based attacks abusing OAuth flows—particularly via trusted automation tools like Azure CLI—completely bypass traditional authentication, including MFA, making them exceptionally dangerous. As cloud adoption accelerates, attackers target identity and consent mechanisms for privileged access, urging immediate review of OAuth policies, user training, and enforcement of least privilege in cloud platforms.
Attack Path Analysis
The attacker leveraged social engineering to trick users into granting OAuth consent via the Azure CLI, enabling account hijack without credentials or MFA. Gaining unauthorized access, the adversary escalated privileges by abusing OAuth scopes and tokens. They likely traversed connected Azure resources using stolen permissions, moving laterally to expand control. The attacker established command and control by maintaining persistent OAuth access to cloud assets. Data could then be exfiltrated through allowed channels or APIs, with potential impact including data theft or further compromise of Microsoft cloud environments.
Kill Chain Progression
Initial Compromise
Description
Adversary exploited social engineering to convince users to grant malicious OAuth consent via Azure CLI, enabling access without passwords or MFA.
Related CVEs
CVE-2023-36052
CVSS 8.6Azure CLI versions prior to 2.53.1 may expose sensitive information, including credentials, through GitHub Actions logs.
Affected Products:
Microsoft Azure CLI – < 2.53.1
Exploit Status:
no public exploitCVE-2022-39327
CVSS 8.1Azure CLI versions prior to 2.40.0 contain a vulnerability that could allow code injection when parameter values are provided by an external source on Windows machines.
Affected Products:
Microsoft Azure CLI – < 2.40.0
Exploit Status:
no public exploitCVE-2024-43591
CVSS 9.1Azure CLI versions prior to 2.65.0 are vulnerable to command injection, allowing attackers to execute arbitrary commands with elevated privileges.
Affected Products:
Microsoft Azure CLI – < 2.65.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts: Cloud Accounts
Create Account: Cloud Account
Modify Authentication Process: Web Portal
Phishing: Spearphishing Link
Use Alternate Authentication Material: Web Session Cookie
Implant Internal Image
Modify Registry
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-factor Authentication for All Access into the CDE
Control ID: 8.4.2
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Continuous Authentication and Access Controls
Control ID: Identity Pillar: Authentication and Access
NIS2 Directive – Identity and Access Management
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ConsentFix attacks targeting Microsoft Azure CLI pose critical risks to financial institutions, potentially bypassing MFA protections and compromising sensitive customer data through OAuth hijacking.
Health Care / Life Sciences
Healthcare organizations face severe HIPAA compliance violations as ConsentFix social engineering attacks can hijack Microsoft accounts without passwords, exposing protected health information.
Information Technology/IT
IT sector organizations are prime targets for ConsentFix attacks exploiting Azure CLI OAuth vulnerabilities, requiring enhanced zero trust segmentation and egress security controls.
Government Administration
Government agencies face heightened security risks from ConsentFix attacks that bypass traditional authentication, necessitating improved threat detection and multicloud visibility controls for Microsoft environments.
Sources
- New ConsentFix attack hijacks Microsoft accounts via Azure CLIhttps://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/Verified
- Microsoft guidance regarding credentials leaked to GitHub Actions Logs through Azure CLIhttps://www.microsoft.com/en-us/msrc/blog/2023/11/microsoft-guidance-regarding-credentials-leaked-to-github-actions-logs-through-azure-cli/Verified
- CVE-2023-36052 | Armis Vulnerability Intelligence Databasehttps://cve.armis.com/cve-2023-36052Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, granular east-west controls, and visibility into OAuth/cloud traffic would have constrained unauthorized movements following initial consent abuse. Egress enforcement and advanced threat detection could have limited data exfiltration and flagged anomalous access quickly.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline enforcement and real-time policy could detect and flag anomalous OAuth activity.
Control: Zero Trust Segmentation
Mitigation: Identity-based policy limits OAuth-granted permissions to least privilege scope.
Control: East-West Traffic Security
Mitigation: Lateral movement detected and contained between workloads via east-west inspection.
Control: Threat Detection & Anomaly Response
Mitigation: Detection and alerting of suspicious API patterns or abnormal session creation.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data flow controlled, blocking unsanctioned data transfer.
Centralized visibility enables rapid detection and forensics of compromised accounts.
Impact at a Glance
Affected Business Functions
- User Authentication
- Access Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of user credentials and sensitive information leading to unauthorized access to Microsoft accounts.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce inline policy controls on OAuth and Azure CLI authorizations with real-time inspection and alerting.
- • Apply microsegmentation and least privilege principles to restrict scope of compromised tokens and limit privilege escalation.
- • Monitor and control east-west traffic to detect and block lateral movement between cloud workloads.
- • Deploy advanced anomaly detection to baseline and identify suspicious API behaviors or abnormal cloud authentication flows.
- • Ensure strong egress filtering is in place to prevent unauthorized data exfiltration through cloud APIs or SaaS channels.
