Executive Summary
In early 2024, security researchers uncovered 'ConsentFix,' a sophisticated OAuth phishing campaign targeting Microsoft account holders across multiple sectors. Attackers leveraged consent phishing techniques, using malicious OAuth applications and browser-based authorization flows to trick users into granting access to their Microsoft 365 data—bypassing traditional credential-based defenses. Victims, believing they were authorizing legitimate apps, inadvertently permitted attackers to persistently access mail, files, and other sensitive resources. The campaign quickly evolved, with new variants adopting evasive tactics and leveraging cloud application trust models.
Consent phishing's rise highlights a worrying trend: attackers increasingly exploit identity platforms and legitimate authorization mechanisms, rather than relying on malware or password theft. As organizations accelerate cloud adoption and remote collaboration, monitoring and mitigating application consent attacks is paramount for regulatory compliance and security posture.
Why This Matters Now
ConsentFix shows how attackers now target cloud identity and authorization systems instead of only stealing credentials, exposing enduring visibility and governance gaps in Microsoft OAuth integrations. Organizations urgently need to audit third-party cloud app access, train employees, and enforce least-privilege OAuth policies to avoid data loss or compliance breaches.
Attack Path Analysis
Attackers initiated the ConsentFix OAuth phishing attack by luring victims into granting malicious cloud app permissions, resulting in unauthorized OAuth token access. With these tokens, the adversary elevated privileges within cloud environments by leveraging improper app permissions. The attackers attempted lateral movement by accessing additional cloud services or resources via tokens. Communication was maintained with attacker infrastructure through approved OAuth apps operating over encrypted channels. Sensitive data was exfiltrated using authorized API calls allowed by compromised tokens. Ultimately, the attacker’s actions led to potential account hijack, unauthorized data exposure, or manipulation within the victim's cloud estate.
Kill Chain Progression
Initial Compromise
Description
Victim received a phishing link leading to a malicious OAuth consent screen, granting the attacker authorization to access the victim’s cloud account.
Related CVEs
CVE-2023-23397
CVSS 9.8A vulnerability in Microsoft Outlook allows an attacker to send a specially crafted email that triggers a connection from the victim to an external UNC location, leading to NTLM credential theft.
Affected Products:
Microsoft Outlook – 2013 SP1, 2016, 2019, 2021, 365 Apps
Exploit Status:
exploited in the wildCVE-2023-35636
CVSS 8.8A vulnerability in Microsoft Exchange Server allows an attacker to perform remote code execution via a crafted email, potentially leading to system compromise.
Affected Products:
Microsoft Exchange Server – 2016 CU23, 2019 CU12
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
These MITRE ATT&CK techniques support SEO and filtering use cases; full enrichment available via STIX/TAXII.
Phishing: Spearphishing Attachment
Modify Authentication Process: Web Portal
Valid Accounts: Cloud Accounts
Steal Web Session Cookie
Email Collection
Brute Force: Password Spraying
Account Discovery: Cloud Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for User Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Security Awareness and Training
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Art. 6
CISA ZTMM 2.0 – Zero Trust Authentication Controls
Control ID: Identity Pillar: Authentication & Access
NIS2 Directive – Technical and Organizational Cybersecurity Measures
Control ID: Art. 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ConsentFix OAuth phishing attacks severely threaten financial institutions by compromising Microsoft accounts, enabling lateral movement and data exfiltration through unauthorized access.
Health Care / Life Sciences
Healthcare organizations face critical risks from OAuth phishing targeting Microsoft environments, potentially exposing patient data and violating HIPAA compliance requirements.
Computer Software/Engineering
Software companies are prime targets for ConsentFix attacks due to extensive Microsoft ecosystem usage, risking intellectual property theft and supply chain compromise.
Government Administration
Government agencies face heightened threats from OAuth phishing campaigns targeting Microsoft accounts, compromising sensitive data and critical infrastructure through authorized access abuse.
Sources
- ConsentFix debrief: Insights from the new OAuth phishing attackhttps://www.bleepingcomputer.com/news/security/consentfix-debrief-insights-from-the-new-oauth-phishing-attack/Verified
- Threat actors misuse OAuth applications to automate financially driven attackshttps://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/Verified
- Microsoft OAuth App Impersonation Campaign Leads to MFA Phishinghttps://www.proofpoint.com/us/blog/threat-insight/microsoft-oauth-app-impersonation-campaign-leads-mfa-phishingVerified
- State actors are abusing OAuth device codes to get full M365 account access - here's what we knowhttps://www.techradar.com/pro/security/state-actors-are-abusing-oauth-device-codes-to-get-full-m365-account-access-heres-what-we-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, continuous traffic visibility, strict egress enforcement, and threat detection capabilities would significantly limit or detect the ConsentFix phishing attack at multiple stages. Identity-based access controls and microsegmentation would minimize token misuse, while egress filtering and anomaly response would help detect and prevent unauthorized data flows.
Control: Multicloud Visibility & Control
Mitigation: Improved detection of unauthorized OAuth consent grants.
Control: Zero Trust Segmentation
Mitigation: Limits unauthorized access within cloud environments.
Control: East-West Traffic Security
Mitigation: Prevents lateral traversal across internal cloud networks.
Control: Threat Detection & Anomaly Response
Mitigation: Detection and alerting of unusual cloud/API usage and suspicious data flows.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or flags unauthorized outbound data movement.
Minimizes blast radius and ensures incident containment.
Impact at a Glance
Affected Business Functions
- Email Communications
- Document Management
- User Authentication
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive emails, documents, and user credentials, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strict multicloud visibility and centralized monitoring of all OAuth app consents and cloud API activities.
- • Implement zero trust segmentation and identity-based access controls to minimize privilege abuse from compromised credentials.
- • Apply egress security and policy enforcement to inspect and block unauthorized data exfiltration routes.
- • Deploy threat detection and anomaly response across east-west and outbound cloud traffic for timely incident response.
- • Regularly audit OAuth permissions and cloud app access, revoking unneeded authorizations and strengthening consent workflows.
