A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications.
A ClickFix attack is a social engineering technique that attempts to trick users into running commands on their computer to install malware or steal data. They commonly use fake instructions that pretend to fix an error or verify that they are human and not a bot.
This new ConsentFix variant was discovered by cybersecurity firm Push Security, which explains that the ConsentFix technique steals OAuth 2.0 authorization codes that can be used to obtain an Azure CLI access token.
Azure CLI is a Microsoft command-line application that uses an OAuth flow to let users authenticate and manage Azure and Microsoft 365 resources from their local machine. In this campaign, attackers trick victims into completing that Azure CLI OAuth flow and then steal the resulting authorization code, which they exchange for full account access without needing the user's password or MFA.
The ConsentFix attack
A ConsentFix attack starts with the victim landing on a compromised, legitimate website that ranks high on Google Search results for specific terms.
The visitor is shown a fake Cloudflare Turnstile CAPTCHA widget that asks for a valid business email address. The attacker's script checks this address against a list of intended targets, filtering out bots, analysts, and anyone else not on the target list.
Victim prompted to enter their email address
Source: Push Security
Users who pass this check are shown a page that resembles ClickFix interaction patterns, providing the victim with instructions to verify they are human.
... continue reading