ConsentFix v3 industrializes Azure OAuth phishing with Pipedream automation

ConsentFix v3, now circulating on underground forums, automates a phishing technique that abuses Microsoft’s pre-trusted first-party Azure apps to steal OAuth tokens despite MFA. The flow follows the same lineage as the original Push Security proof-of-concept and John Hammond’s drag-and-drop refinement: a victim is lured to a Cloudflare Pages-hosted clone of a Microsoft login screen, completes a genuine OAuth authorization at Microsoft’s endpoint, and is then tricked into handing back the localhost redirect URL containing an authorization code.

The v3 jump is operational rather than conceptual. The toolkit fingerprints target tenants, scrapes employee data for impersonation, and provisions burner accounts across Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream. Pipedream is the load-bearing piece — it acts as the webhook receiver, the engine that immediately swaps the captured code for refresh tokens via Microsoft’s API, and the live collector that exposes harvested tokens to the operator. Stolen tokens are then loaded into Specter Portal for hands-on-keyboard access to mail, files, and anything else the consented scopes permit.

Defense is structurally awkward because the trust being abused — first-party apps and the Family of Client IDs sharing refresh tokens — is baked into the platform. Push Security points to token binding on managed devices, behavioral detection, and app authentication policies as the practical levers. Real-world adoption of v3 is not yet confirmed.