New Automated OAuth Attack Targeting Microsoft Azure Circulates on Hacker Forums
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (Reuters) - Cybercriminals are deploying a new automated attack technique called ConsentFix v3 that targets Microsoft Azure environments by exploiting OAuth authorization flows, security researchers said on Friday.
The attack method, which has been promoted on hacker forums, automates phishing campaigns against Azure tenants worldwide. It leverages trust in first-party applications and pre-consented authorization flows to bypass standard security measures.
Push Security researchers identified the technique and warned that it represents a significant escalation in the sophistication of credential theft operations. The tool allows attackers to scale OAuth abuse attacks without requiring direct user interaction for each target, according to the analysis.
ConsentFix v3 operates by manipulating the OAuth consent process. When a user grants permission to an application, the system records that consent. The new technique exploits this mechanism by automating the creation of malicious applications that appear legitimate, tricking users into granting access or reusing existing consent grants.
Microsoft Azure remains one of the most widely used cloud platforms globally, making it a prime target for such attacks. The technique does not require the compromise of individual user credentials in the traditional sense. Instead, it abuses the trust relationship between users and authorized applications.
The attack has been circulating on underground forums since early May. Researchers noted that the tool is being marketed as a service, with sellers offering access to the automated infrastructure for a fee. This commercialization suggests a growing demand for scalable attack methods among cybercriminal groups.
Security experts advise organizations to review their OAuth configurations and implement stricter consent policies. Microsoft has not yet issued a specific advisory regarding ConsentFix v3, though the company regularly updates its security guidance for Azure administrators.
The emergence of ConsentFix v3 highlights the evolving nature of cloud-based threats. As organizations increasingly rely on third-party integrations, the attack surface expands. Attackers are adapting to these changes by developing tools that exploit the very mechanisms designed to facilitate secure access.
Questions remain about the full extent of the tool's deployment and whether any major organizations have already been compromised. Researchers are continuing to monitor hacker forums for updates and variations of the technique. The situation remains fluid as defenders work to understand the scope of the threat and develop effective countermeasures.