A new attack dubbed “ConsentFix” uses the Azure CLI OAuth app to hijack Microsoft accounts without needing a password or bypassing multi-factor authentication (MFA) verifications. Cybersecurity firm Push Security discovered this variant, which steals OAuth 2.0 authorization codes used to obtain an Azure CLI access token.
The ConsentFix attack starts with a fake Cloudflare Turnstile CAPTCHA widget that asks for a valid business email address. Users who pass the check are shown a page resembling ClickFix interaction patterns, prompting them to verify they’re human and click the “Sign in” button. This opens a legitimate Microsoft URL in a new tab, where users authenticate normally on Microsoft’s real login page.
Once authenticated, Microsoft redirects them to a localhost page with an Azure CLI OAuth authorization code tied to their account. If the user pastes this URL into the malicious page, the attacker gains access to the Microsoft account via the Azure CLI OAuth app.
The attack triggers only once per victim IP address, so even if valid targets return to the same phishing page, they won’t get the Cloudflare Turnstile check. To detect this, defenders should look for unusual Azure CLI login activity and monitor for legacy Graph scopes.
Source: https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli