ConsentFix and OAuth consent phishing: are your controls keeping up?

TL;DR: ConsentFix combines ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts by stealing authorization codes in the browser, bypassing passwords, MFA, and even passkeys, according to Push Security. The real issue is that identity controls built around authentication events do not protect the consent and token exchange path.

NHIMG editorial — based on content published by Push Security: ConsentFix and OAuth consent phishing analysis

By the numbers:

• In total, there are 11 apps vulnerable to ConsentFix that also have known Conditional Access exclusions.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and a further 47% having only partial visibility.

Questions worth separating out

Q: What breaks when OAuth consent phishing happens inside the browser instead of at login?

A: Browser-native OAuth phishing breaks the assumption that authentication controls protect the whole identity transaction.

Q: Why do Microsoft first-party apps create extra risk in consent phishing attacks?

A: First-party apps can be pre-consented in every tenant and may not be restrictable in the same way as third-party apps.

Q: How do security teams know if OAuth abuse is slipping past detection?

A: The warning signs are gaps between user activity and identity telemetry.

Practitioner guidance

• Treat the browser as an identity control surface Instrument browser telemetry for paste events, unexpected redirect chains, and unusual OAuth code handling so malicious consent flows can be blocked before token redemption.
• Harden Microsoft app consent and exclusions Review first-party app permissions, legacy scopes, and Conditional Access exclusions, then restrict access to vulnerable apps only for approved users and groups.
• Enable the missing identity logs Turn on deprecated AADGraphActivityLogs and hunt for the application IDs and resource IDs associated with browser-native OAuth abuse.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdown of the ConsentFix user journey from fake verification prompt to token redemption
• The full list of vulnerable first-party Microsoft apps and the scopes tied to Conditional Access exclusions
• Community detection guidance, including Elastic rules and hunting ideas from Glueck Kanja
• Push Security's browser-side blocking and telemetry approach for real-time detection

👉 Read Push Security's analysis of the ConsentFix OAuth hijacking technique →

ConsentFix and OAuth consent phishing: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →