New ConsentFix Attack Hijacks Microsoft Accounts via Azure CLI
Summary:
Researchers at Push Security have uncovered details of a new browser-native phishing technique, dubbed “ConsentFix” that steals Oauth authorization codes by tricking users into copying and pasting a URL from a legitimate Microsoft login flow into an attack-controlled phishing page. Unlike typical AiTM or ClickFix attacks, ConsentFix doesn’t steal passwords, intercept sessions, or prompt fake login pages. Rather, it abuses trusted Oauth apps like Azure CLI, which can exchange an authorization code for an access token without needing a client secret. When the victim signs in through the legitimate Microsoft page, their browser generates a localhost URL containing the authorization code. By tricking the victim into pasting that URL into the phishing page, the victim unknowingly creates an Oauth connection between their Microsoft account and the attacker’s Azure CLI instance. This in turn allows the actor to gain full access to the victim’s Microsoft account without needing to supply credentials or pass an MFA check.
Security Officer Comments:
The attack chain initiates when a victim visits a compromised website via Google Search. Researchers note that a majority of these sites are high reputation domains that easily pop up via search engines. In this case, the sites are injected with a fake Cloudflare Turnstile, which prompts victims to enter an email address for verification purposes before proceeding to the site.
“If a domain not on the target list was provided, the victim was passed back to the original website and the attack did not progress to the next stage. Further, once the check has concluded per IP, the phishing page will no longer activate, even a different email is provided,” note researchers in their new blog post.
If the email is approved, the site loads instructions that guide the victim to click on a “sign-in” button, which opens a legitimate Microsoft login page. After logging into their account, the victim is redirected to localhost, which generates a URL containing a code associated with the user’s Microsoft account. To complete the phish, the victim is then prompted to copy the URL and paste it onto the original attacker-controlled page, successfully granting the actor access to their Microsoft account.
Suggested Corrections:
Organizations should restrict Azure CLI usage for users who don’t need it, and monitor for unexpected Azure CLI Oauth grants. Users should also be trained not to copy and paste URLs from authentication flows into any external site for “verification” purposes.
Push Security recommends defenders hunt for connections from the following IPs in Azure logs:
https://www.bleepingcomputer.com/ne...ack-hijacks-microsoft-accounts-via-azure-cli/
Researchers at Push Security have uncovered details of a new browser-native phishing technique, dubbed “ConsentFix” that steals Oauth authorization codes by tricking users into copying and pasting a URL from a legitimate Microsoft login flow into an attack-controlled phishing page. Unlike typical AiTM or ClickFix attacks, ConsentFix doesn’t steal passwords, intercept sessions, or prompt fake login pages. Rather, it abuses trusted Oauth apps like Azure CLI, which can exchange an authorization code for an access token without needing a client secret. When the victim signs in through the legitimate Microsoft page, their browser generates a localhost URL containing the authorization code. By tricking the victim into pasting that URL into the phishing page, the victim unknowingly creates an Oauth connection between their Microsoft account and the attacker’s Azure CLI instance. This in turn allows the actor to gain full access to the victim’s Microsoft account without needing to supply credentials or pass an MFA check.
Security Officer Comments:
The attack chain initiates when a victim visits a compromised website via Google Search. Researchers note that a majority of these sites are high reputation domains that easily pop up via search engines. In this case, the sites are injected with a fake Cloudflare Turnstile, which prompts victims to enter an email address for verification purposes before proceeding to the site.
“If a domain not on the target list was provided, the victim was passed back to the original website and the attack did not progress to the next stage. Further, once the check has concluded per IP, the phishing page will no longer activate, even a different email is provided,” note researchers in their new blog post.
If the email is approved, the site loads instructions that guide the victim to click on a “sign-in” button, which opens a legitimate Microsoft login page. After logging into their account, the victim is redirected to localhost, which generates a URL containing a code associated with the user’s Microsoft account. To complete the phish, the victim is then prompted to copy the URL and paste it onto the original attacker-controlled page, successfully granting the actor access to their Microsoft account.
Suggested Corrections:
Organizations should restrict Azure CLI usage for users who don’t need it, and monitor for unexpected Azure CLI Oauth grants. Users should also be trained not to copy and paste URLs from authentication flows into any external site for “verification” purposes.
Push Security recommends defenders hunt for connections from the following IPs in Azure logs:
- 12[.]75[.]216.90
- 182[.]3[.]36[.]223
- 12[.]75[.]116[.]137
https://www.bleepingcomputer.com/ne...ack-hijacks-microsoft-accounts-via-azure-cli/