ConsentFix v3 attacks target Azure with automated OAuth abuse

# ConsentFix v3: Automated OAuth Exploitation Targets Azure

Threat actors have deployed ConsentFix v3, an evolution of prior OAuth abuse techniques, adding automation and scale to attacks against Azure environments. The attack exploits the OAuth consent flow by tricking users into granting excessive permissions to malicious applications, granting attackers persistent access to cloud resources without credential theft.

ConsentFix v3 differs from earlier variants through its automated deployment and infrastructure, allowing attackers to target multiple organizations simultaneously. The technique leverages legitimate OAuth mechanisms, making detection difficult for traditional security controls that focus on anomalous login patterns rather than permission grants.

Defenders should implement several mitigations. Enable conditional access policies in Azure to restrict consent grants based on risk signals. Audit application permissions granted to third-party apps, focusing on mail, calendar, and file access permissions. Deploy app governance controls to monitor and restrict OAuth applications. Configure user consent settings to require admin approval for applications requesting sensitive permissions.

Organizations should monitor for suspicious OAuth consent prompts requesting Graph API or Exchange Online permissions. Security teams need visibility into which applications users have authorized and their permission scope. Threat intelligence indicates this technique circulates actively on hacker forums, suggesting broader adoption is likely.