John Hammond Explores New 'ConsentFix' Attack Technique Targeting Microsoft 365 and Entra ID

In this captivating video, John Hammond explores a new attack technique called ConsentFix, which combines sophisticated phishing methods with OAuth (OOTH) permission vulnerabilities to take control of Microsoft 365 or Entra ID accounts. The attack is inspired by the classic ClickFix concept, where a victim is prompted to click on a fake verification button (such as "I am not a robot"), but it goes further by targeting cloud environments rather than local terminals. John Hammond admits to being immediately fascinated by this technique, which he describes as "nerd sniped," and decides to dissect it to reveal its mechanisms and dangers.

The ConsentFix attack relies on a phishing campaign that exploits a vulnerability in the OAuth authentication process. Victims are redirected to a malicious or compromised site, often via a Google search, where they encounter a fake page mimicking a Cloudflare Turnstile or reCAPTCHA challenge. Unlike traditional attacks, this method requires the victim to enter their email address, which is then verified to ensure it belongs to a targeted professional domain. Once the email is validated, the victim is prompted to log in via a legitimate Microsoft Entra ID page, where they click a login button. If the victim is already logged in (thanks to active cookies), they are redirected to a localhost page containing an OAuth authentication code. This code, once copied or drag-and-dropped by the victim, is retrieved by the attacker, who can then use it to authenticate as an Azure CLI application, a trusted Microsoft application by default in all Entra ID tenants.

What makes this attack particularly formidable is that it bypasses usual security mechanisms. Unlike classic OAuth attacks, where the attacker must create a malicious application and convince the victim to accept explicit permissions, ConsentFix exploits a legitimate and trusted application: Azure CLI. This application, developed by Microsoft, is implicitly authorized in all Entra ID environments and requires no manual approval. Once the OAuth code is retrieved, the attacker can obtain access and refresh tokens, giving them full access to the victim's account. This includes not only emails via Outlook but also Microsoft Teams, OneDrive, SharePoint, and all other resources associated with the Microsoft 365 account. John Hammond emphasizes that this technique is particularly insidious because it leaves almost no trace on the victim's terminal, occurring entirely within the browser.

To illustrate this attack, John Hammond provides a practical demonstration. He shows how an attacker could create a fake Microsoft login page, prompting the victim to click a login button. If the victim is already logged in, they are redirected to a localhost page containing the valuable OAuth code. To make the attack more credible, he suggests improving the user experience by replacing manual code copying with a simple drag-and-drop, reducing friction and increasing the chances of success. He also explains that, although Microsoft prevents the integration of its login pages into iframes for security reasons, it is possible to bypass this limitation by using pop-ups and guiding the victim through seemingly innocuous steps.

From a technical standpoint, this attack exploits the HTTP requests used by Azure CLI to interact with the Microsoft API. The attacker prepares a specific URL containing the Azure CLI application's client ID and the victim's domain, triggering a legitimate authentication. Once the OAuth code is obtained, the attacker can use it to finalize the application's registration in the victim's tenant, thus gaining persistent access. John Hammond notes that Entra ID logs might show connections via the Azure CLI application, but these logs could be confused with legitimate use, making detection difficult.

The practical implications of this attack are alarming. It demonstrates how easy it is for an attacker to compromise an entire cloud environment with minimal effort, without even needing to send a phishing email. A simple visit to a compromised website can trigger the attack. John Hammond stresses the importance of educating users about the risks associated with suspicious redirections and unexpected login requests, even if they appear to come from legitimate sources like Microsoft. He also suggests that companies could strengthen their security policies by closely monitoring connections via applications like Azure CLI and limiting default permissions.

In conclusion, this video highlights an innovative and particularly effective attack technique that exploits OAuth authentication mechanisms and the trust placed in Microsoft applications. John Hammond encourages cybersecurity professionals to familiarize themselves with this method to better detect and counter it. He ends by inviting viewers to share their thoughts and ideas for improving security against such threats. To see the full demonstration and delve deeper into the topic, you can watch the video here: https://www.youtube.com/watch?v=AAiiIY-Soak.