In a year-end custom that has turn out to be all too acquainted for cybersecurity defenders, researchers have uncovered a novel assault vector concentrating on Microsoft Entra ID that weaponizes reputable OAuth 2.0 authentication flows to reap privileged entry tokens.
The method, dubbed “ConsentFix” by PushSecurity, represents an evolution of the ClickFix social engineering paradigm, enabling risk actors to bypass gadget compliance checks and Conditional Entry insurance policies by exploiting the authorization code movement in first-party Microsoft purposes.
The assault methodology basically subverts how native public purposes just like the Microsoft Azure CLI authenticate customers.
When a sufferer visits a malicious web site, the attacker generates a reputable Microsoft Entra login URI concentrating on the “Microsoft Azure CLI” shopper software and “Azure Useful resource Supervisor” useful resource.
This initiates the usual OAuth 2.0 authorization code movement, the place the applying would usually create a listener on a random excessive port (reply URI) to obtain the authentication response.
In reputable situations, after profitable authentication, Entra ID redirects the consumer to localhost with vital parameters: the code (authorization code) and non-obligatory state parameter.
The Azure CLI software captures this redirect and redeems the code for bearer tokens. Nonetheless, within the ConsentFix assault, no software listens on localhost, inflicting a browser error however the URI nonetheless comprises the delicate authorization code, which the attacker manipulates the consumer into offering by way of drag-and-drop or copy-paste actions.
Safety researcher John Hammond demonstrated an improved model inside days of the preliminary disclosure, eliminating guide copy-paste necessities and enabling pure drag-and-drop extraction.
As soon as obtained, the attacker redeems the code from their infrastructure, buying entry tokens, ID tokens, and probably refresh tokens that grant unfettered entry to Azure Useful resource Supervisor and different cloud sources.
Detection By Anomaly Correlation
Forensic evaluation reveals distinctive artifacts in Entra ID sign-in logs. Every profitable assault generates two occasions: an preliminary interactive sign-in representing the sufferer’s authentication, adopted by a non-interactive sign-in from the attacker’s infrastructure throughout token redemption.
Whereas the authorization code UTI differs from the bearer token UTI breaking a possible correlation mechanism the SessionId stays constant throughout each occasions.
Efficient detection requires linking occasions sharing an identical SessionId, ApplicationId, and UserId, with the second occasion occurring inside roughly ten minutes of the primary.
The temporal threshold proves vital: reputable automated situations like GitHub Codespaces redeem codes inside seconds, whereas social engineering assaults introduce human-delayed intervals.
Moreover, reputable Azure CLI utilization exhibits each sign-ins originating from the identical IP handle, whereas assaults exhibit geographic dispersion between sufferer and attacker infrastructure.
Whereas preliminary studies targeted on Microsoft Azure CLI (Software ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46), the vulnerability extends to quite a few pre-consented first-party purposes accepting localhost redirects.
Excessive-risk targets embrace Microsoft Azure PowerShell, Visible Studio, Visible Studio Code, and MS Groups PowerShell Cmdlets. Safety researchers at EntraScopes.com have cataloged the complete spectrum of affected purposes, together with growth and check URLs that lack public resolvability.
Mitigations
Organizations face a matrix of defensive choices balancing deployment complexity towards mitigation effectiveness.
The bottom-effort method includes requiring specific consumer task for affected service principals, limiting the assault viewers however demanding complete identification of reputable CLI customers.
Conditional Entry insurance policies can block CLI device entry totally, excluding approved personnel, although this requires meticulous baseline evaluation in report-only mode.
Essentially the most strong protection leverages Microsoft Entra ID’s Token Safety function, requiring proof-of-possession by the Internet Account Supervisor (WAM) dealer on Home windows platforms. When enforced, browsers can’t set up the safe channel mandatory for code redemption, fully neutralizing ConsentFix assaults.
Nonetheless, scope stays restricted to particular Microsoft 365 sources, with Azure administration situations nonetheless pending official help regardless of client-side WAM availability in present Azure CLI and PowerShell variations.
For broader safety, International Safe Entry with compliant community checks can block subsequent token issuance utilizing stolen refresh tokens, although this fails to stop preliminary code redemption.
The chicken-and-egg drawback of gadget administration requires cautious exclusion insurance policies for Intune and different administration companies.
As crimson groups quickly weaponize these methods and risk actors adapt them for phishing campaigns, defenders should instantly audit sign-in patterns for anomalous SessionId correlations, implement consumer task controls for CLI purposes, and consider Token Safety readiness.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
