# ConsentFix v3 Escalates Azure OAuth Attack Campaign
Attackers are deploying ConsentFix v3, an automated OAuth abuse toolkit targeting Azure environments. The tool builds on earlier ConsentFix variants by automating consent-phishing workflows and scaling attacks across multiple targets simultaneously.
The attack chain exploits Azure's OAuth 2.0 implementation. Threat actors craft malicious applications requesting excessive permissions, then distribute phishing links to Azure users. Victims grant consent unknowingly. The automation layer allows operators to harvest tokens from hundreds of accounts with minimal manual intervention.
Once tokens are obtained, attackers gain persistent access to victim mailboxes, cloud storage, and calendar data. They can impersonate users to conduct lateral movement within organizations or establish long-term persistence through application registrations.
Defenders should monitor for suspicious application consent requests within Azure AD audit logs. Flag consent grants from external or newly registered applications requesting mail, calendar, or user impersonation scopes. Enforce conditional access policies requiring MFA for application consent flows. Review existing application permissions regularly and revoke suspicious registrations immediately.
Organizations hosting sensitive data in Azure should implement admin consent requirements, blocking user-level OAuth approvals entirely. This forces attackers to target administrators instead, creating detection opportunities at higher privilege levels.