New ConsentFix attack hijacks Microsoft accounts via Azure CLI

Published:

11 december 2025 om 15:10:49

Alert date:

11 december 2025 om 16:02:07

Source:

bleepingcomputer.com

A new attack variant called ConsentFix has been discovered that exploits the Azure CLI OAuth application to hijack Microsoft accounts. This attack is a variation of the previously known ClickFix attack methodology. The technique allows attackers to compromise Microsoft accounts without requiring passwords or bypassing multi-factor authentication (MFA) protections. The attack leverages legitimate Azure CLI functionality to gain unauthorized access to user accounts. This represents a significant security concern for organizations using Microsoft services and Azure infrastructure.

Technical details

ConsentFix is a variation of ClickFix attacks that abuses Azure CLI OAuth app to hijack Microsoft accounts without passwords or MFA bypass. Attack starts with victims landing on compromised legitimate websites ranking high in Google Search. Victims are shown fake Cloudflare Turnstile CAPTCHA requesting business email addresses, which are checked against target lists. Successful targets see ClickFix-style pages with instructions to click 'Sign in' button, opening legitimate Microsoft Azure CLI OAuth login page. After authentication, Microsoft redirects to localhost with URL containing Azure CLI OAuth authorization code. Victims paste this URL into malicious page, granting attackers full Microsoft account access via Azure CLI OAuth app. Attack triggers only once per victim IP address and leverages legacy Graph scopes to evade detection.

Mitigation steps:

Monitor for unusual Azure CLI login activity such as logins from new IP addresses. Monitor for legacy Graph scopes which attackers intentionally leverage to evade detection.

Affected products:

Microsoft Azure CLI
Microsoft 365
Microsoft accounts
Azure OAuth