Zero-Malware Hijacking: ConsentFix Exploits OAuth Flows to Steal Microsoft 365 Accounts
Executive Summary
Cybercriminals have increasingly turned to evasive, zero-malware techniques to infiltrate corporate cloud networks. Security researchers have warned of a highly active campaign dubbed "ConsentFix." This attack bypasses traditional endpoint antivirus scanners and multi-factor authentication (MFA) by exploiting OAuth application consent flows inside Microsoft 365. By tricking corporate users into granting permissions to a rogue enterprise application, attackers obtain persistent, programmatic API access to the victim's mailbox and cloud storage. Administrators must lock down application consent policies immediately to mitigate this highly stealthy threat.
Deep-Dive Technical Analysis
Unlike traditional phishing campaigns that harvest user passwords or deploy malicious executables on host machines, ConsentFix relies entirely on OAuth 2.0 authorization flows—the standard framework that allows cloud applications to share resources with other applications.
The attack mechanics utilize the following malicious sequence:
1. The Deceptive Consent Lure: The attacker sends a spear-phishing email, sponsored link, or chat message containing a URL that redirects the user to a legitimate Microsoft 365 sign-in and authorization screen.
2. The Rogue Enterprise App: The screen requests the user to grant access permissions to an "enterprise application" registered on the Azure tenant. The app is typically given a highly plausible name (e.g., "M365 PDF Utility" or "Office Update Helper").
3. Programmatic Token Issuance: The app requests sensitive, high-privilege permissions, such as Mail.ReadWrite, Files.ReadWrite.All, and offline_access. Once the victim clicks "Accept," the Microsoft authorization server generates an OAuth access token and a refresh token for the attacker's application.
4. Persistent, Password-Less Hijack: Armed with the refresh token, the attacker can programmatically query the Microsoft Graph API to read and write emails, exfiltrate files from OneDrive/SharePoint, or monitor user activity. This access remains active indefinitely, bypassing password resets and interactive MFA prompts, and does not require any malware to run on the victim's device.
Because the compromise occurs entirely within Microsoft's legitimate cloud infrastructure, traditional endpoint security utilities and local network firewalls remain completely blind to the intrusion.
Industry Impact and Recommendations
The ConsentFix campaign represents a major shift in cybercriminal tradecraft, highlighting how easily cloud perimeters can be bypassed when users are over-privileged. A compromised Microsoft 365 tenant can lead to massive corporate data theft, business email compromise (BEC) attacks, and unauthorized financial wire transfers.
We recommend that all cloud administrators implement the following immediate security controls:
1. Enforce Restricted User Consent Policies: Modify Microsoft Entra ID (Azure AD) settings to block standard users from consenting to third-party applications, particularly those requesting high-privilege permissions. All application requests should require explicit administrator approval.
2. Audit Active Enterprise Applications: Regularly audit the "Enterprise Applications" directory inside your Microsoft Entra ID portal. Review all registered apps for suspicious names, unknown developer profiles, or excessive permissions (especially offline_access and Mail.ReadWrite).
3. Configure Alert Rules for Consent Grants: Establish automatic security alerts in your SIEM (Security Information and Event Management) or Microsoft Defender for Cloud Apps to flag whenever a user grants consent to a newly registered or external application.
4. Implement Continuous Session Revocation: In the event of a suspected account compromise, administrators should immediately revoke all active refresh tokens and OAuth permissions associated with the compromised user account via the Azure portal or PowerShell.
References:
* Malwarebytes Security Blog
* Cyber Recaps