Attackers now automate the theft of OAuth authorization codes and the immediate exchange for refresh tokens using a free serverless platform — a step change in scale from earlier credentialless phishing tricks.
How ConsentFix v3 turns OAuth into an automated pipeline
ConsentFix v3, as described on hacker forums and summarized by Push Security researchers, retains the original ConsentFix idea of abusing the OAuth2 authorization code flow but adds automation and scalability. The assault begins with reconnaissance: adversaries check for valid Azure tenant IDs to confirm the target environment, then harvest employee names, roles, and email addresses to craft believable impersonation.
That reconnaissance feeds a chain of preparatory steps. Attackers create accounts across services including Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream to run the phishing operation, host decoys, gather additional data, and funnel exfiltrated credentials.
Pipedream: webhook, exchange engine, and live collector
Push Security highlights Pipedream — a free serverless integration platform — as the central automation engine in ConsentFix v3. In the promoted attack flow Pipedream performs three discrete roles: it receives the victim’s authorization code via a webhook endpoint; it immediately exchanges that code for a refresh token through Microsoft’s API; and it provides a central, real-time collector that makes captured tokens available to attackers.
That linkage collapses what was previously a manual handoff into an automated exchange: once a victim’s local redirect URL with an authorization code reaches the webhook, the backend automation completes the token trade without further attacker intervention.
Phishing flow: Cloudflare Pages, DocSend PDFs, and local redirect tricks
The lures in ConsentFix v3 blend technical abuse with social engineering. Attackers host phishing pages on Cloudflare Pages that imitate Microsoft/Azure interfaces and initiate a genuine OAuth login flow through Microsoft’s login endpoint. When a user completes the flow, the legitimate login can redirect to a localhost URL that contains an authorization code.
Victims are then socially engineered into returning that localhost URL to the attacker-controlled page — historically by pasting, more recently by drag-and-drop — which triggers the serverless pipeline. Push Security notes attackers embed links inside PDFs hosted on DocSend and personalize phishing emails with harvested employee data to improve credibility and evade spam filters.
Post-exploitation: Specter Portal and token-powered access
Once captured and exchanged, tokens are imported into Specter Portal, giving attackers programmatic access to compromised Microsoft environments within the permissions allowed by each token. Accessed resources can include email and files and any other services tied to the account’s granted scopes. Push Security’s testing used its own Microsoft accounts, and the researchers caution the real-world impact varies by tenant settings, permissions, and enabled services.
Push Security also links ConsentFix v3 to an architectural challenge: the technique targets first-party Microsoft apps that are pre-trusted and, in some environments, covered by Family of Client IDs (FOCI), which allow Microsoft applications to share permissions and refresh tokens — a configuration that can complicate mitigation.
Mitigations for administrators and security teams
Push Security lists a handful of concrete defensive measures administrators can apply even though the underlying trust model makes full mitigation difficult. These include applying token binding to trusted devices, establishing behavioral detection rules to spot anomalous token use, and enforcing app authentication restrictions. The researchers underline that tenant configuration, permission scopes, and service settings materially influence the severity of any successful compromise.
What this means for security teams, administrators, and end users
- Security teams should watch for automation platforms acting as real-time token collectors and may need detection rules for unusual webhook activity or rapid token exchanges tied to newly created external accounts.
- Administrators should review tenant-level app consent and Family of Client IDs (FOCI) behavior, and consider device-bound token policies and app authentication restrictions as practical controls.
- End users should be aware that real OAuth login pages and local redirect behavior can be weaponized and that drag-and-drop or paste operations returning a localhost URL can enable account takeover even with MFA in place.
ConsentFix v3 repackages a known OAuth weakness with automation that compresses time and reduces manual steps for attackers. Push Security’s public testing used personal Microsoft accounts and the researchers note it is unclear whether the v3 variant has yet seen widespread criminal use, even as ConsentFix techniques have appeared in real campaigns. The technical detail — and the tractable defensive measures Push Security recommends — offer immediate work for defenders while leaving open the central question: will automation turn a niche trick into a routine criminal capability?
