A dangerous new phishing toolkit called ConsentFix v3 has surfaced, purpose-built to compromise Microsoft Entra ID (formerly Azure AD) accounts by automating the theft of OAuth 2.0 authorization codes. The attack chain concludes with session token replay, granting adversaries persistent, passwordless access to victims’ cloud resources. The toolkit’s reliance on Cloudflare infrastructure adds a layer of obfuscation that frustrates traditional blocklists and takedown efforts.

Security researchers who identified the campaign note that ConsentFix v3 streamlines what used to be a labor-intensive, multi-step attack into a single, scripted operation. By weaponizing the OAuth consent flow, threat actors bypass multi-factor authentication (MFA) entirely, since the stolen tokens represent an already authenticated session. Here’s how the attack works, what makes v3 more dangerous than its predecessors, and how organizations can defend against this emerging threat.

What Is ConsentFix v3?

ConsentFix v3 is a phishing-as-a-service platform that targets Microsoft’s OAuth 2.0 authorization endpoint. Unlike credential-harvesting kits that steal usernames and passwords, ConsentFix intercepts short-lived authorization codes and exchanges them for long-lived refresh tokens. These tokens then allow the attacker to maintain continuous access to Microsoft 365, Exchange Online, SharePoint, and any other service integrated with the victim’s Entra ID tenant.

The “v3” designation indicates this is the third major iteration of the toolkit. Earlier versions of ConsentFix relied on simpler hosting and lacked the automation capabilities seen today. Version 3 incorporates infrastructure orchestrated through Cloudflare Workers, making the phishing pages and callback URLs rapidly interchangeable. It also uses Cloudflare’s caching and DDoS protection to keep the malicious domains online longer.

Researchers first observed ConsentFix v3 in active campaigns during early 2025, but its development likely began months earlier. The toolkit is sold on underground forums, complete with step-by-step video guides and 24/7 support, mimicking the customer experience of legitimate SaaS products.

The OAuth Code Theft Attack Chain

OAuth 2.0 authorization code theft isn’t a new concept, but ConsentFix v3 simplifies every step so that even low-skill attackers can execute it successfully. The attack typically proceeds as follows:

1. Lure Delivery

Victims receive a highly targeted email or instant message containing a link. The message often impersonates a trusted service—think “DocuSign has shared a document” or “Action required: review your Teams permissions.” Social engineering is crafted to align with the victim’s role, making the request feel routine.

Clicking the link redirects the victim to a Cloudflare-hosted phishing page that mimics Microsoft’s legitimate OAuth consent prompt. The page asks the user to grant a seemingly harmless application permissions such as “Read your mail” or “Access your files.” Because the domain is obfuscated through Cloudflare and the page uses Microsoft’s own branding, many users approve without hesitation.

3. Authorization Code Interception

When the victim clicks “Accept,” Microsoft’s authorization endpoint generates a one-time authorization code and sends it to the redirect URI configured by the attacker. ConsentFix’s Cloudflare Worker intercepts this code in transit—before the legitimate application can receive it. Because the Worker acts as a proxy, the code can be stolen even if the victim’s browser completes the OAuth flow normally.

4. Token Exchange and Replay

The intercepted authorization code is immediately exchanged at Microsoft’s token endpoint for an access token and a refresh token. ConsentFix automates this exchange within seconds, before the short-lived code expires. The refresh token is then stored, allowing the attacker to request new access tokens indefinitely. The attacker can now access the victim’s data without ever needing a password or MFA code.

5. Persistence and Lateral Movement

With a valid refresh token, the adversary can authenticate to any Microsoft service the victim has access to. ConsentFix includes tools to enumerate the victim’s permissions, search through mailboxes, download files from SharePoint, and even pivot to other applications within the same Entra ID tenant. The refresh token remains valid until explicitly revoked, which many organizations fail to do in a timely manner.

Why ConsentFix v3 Is Harder to Detect

Traditional phishing indicators don’t apply here. There is no fake login page to harvest credentials, and the entire interaction occurs over legitimate Microsoft domains. Security tools that rely on domain reputation see traffic to login.microsoftonline.com and the attacker’s Cloudflare Workers domain, which can rotate frequently. The Worker domains often use names that resemble Azure services, further complicating detection.

ConsentFix v3 also leverages OAuth application registration inside the attacker’s own Entra ID tenant. The malicious app is often named deceptively—something like “Microsoft Office Secure Connector” or “SharePoint Sync Utility”—and uses a verified publisher domain to appear trustworthy. Because the app is registered to a tenant the attacker controls, Microsoft’s consent framework shows the publisher name, which the attacker can customize. Many users will approve an app that appears to come from a verified publisher.

Cloudflare’s interference is a critical enabler. By using Cloudflare Workers for the initial landing page and the redirect URI, attackers benefit from Cloudflare’s global CDN, which masks the origin server’s IP address. Security teams that attempt to block the phishing domain often find that the block is ineffective because the domain resolves to Cloudflare’s edge IPs, which are shared by millions of legitimate sites.

The Scope of the Threat

Every Microsoft 365 and Azure customer is potentially at risk. While enterprise tenants with strict application consent policies are less vulnerable, the attack also targets smaller businesses that rely on default settings. Microsoft’s Secure Score includes recommendations to restrict user consent, but adoption remains inconsistent. A 2024 survey by a leading identity firm found that 37% of organizations still allow all users to consent to any application, a setting that ConsentFix v3 exploits directly.

The toolkit specifically harms:

  • Business Email Compromise (BEC) schemes: Attackers read and forward emails, leading to financial fraud.
  • Data exfiltration: Access to SharePoint and OneDrive enables mass downloading of sensitive documents.
  • Supply chain attacks: If the compromised account has privileges in partner tenants or shared resources, the attacker can pivot outward.
  • Persistence without persistence: Because refresh tokens don’t appear as a suspicious login in Azure AD sign-in logs (the initial consent event looks like a normal application authorization), threat hunting is challenging.

How Microsoft Is Responding

Microsoft has acknowledged the rise in OAuth consent phishing attacks and continues to evolve its defense mechanisms. In Entra ID, features like continuous access evaluation (CAE) can shorten the life of tokens in some scenarios, but refresh tokens used by malicious apps may still persist. Microsoft also provides:

  • App consent policy controls: Administrators can restrict which users can consent to applications and require admin approval for high-privilege permissions.
  • Verified publisher checks: Entra ID now shows warnings if an app’s publisher hasn’t been verified, though ConsentFix often uses a verified publisher.
  • Risk-based conditional access: Integration with Microsoft Entra ID Protection can detect anomalous token usage, but only after the initial compromise.

Nevertheless, the fundamental design of OAuth—delegating access via user consent—makes it difficult to block these attacks without disrupting legitimate applications. Microsoft’s guidance emphasizes user education, strict consent policies, and continuous monitoring of application permissions.

Steps to Protect Your Organization

No single control can eliminate the risk, but a layered defense can make ConsentFix v3 far less effective:

Navigate to the Entra admin center > Enterprise applications > Consent and permissions > User consent settings. Choose the option “Do not allow user consent” or “Allow user consent for apps from verified publishers, for selected permissions (Recommended).” The latter allows low-risk permissions while requiring admin approval for anything that reads mail or files.

Enable the admin consent workflow so that users can request approval for necessary apps. This prevents shadow IT while giving the security team visibility into what’s being granted.

Use Defender for Cloud Apps Integration

Microsoft Defender for Cloud Apps can detect risky OAuth apps and revoke their access. Create a policy that automatically suspends apps matching known malicious patterns—such as apps with vague names requesting high-privilege permissions.

Monitor for Abnormal Token Usage

Set up Sentinel analytics rules or use a SIEM to look for:
- Refresh tokens that are used from unusual geographic locations or IP ranges.
- A sudden spike in API calls to Microsoft Graph from a newly authorized application.
- Multiple refresh token exchanges within a short window.

Update your phishing awareness programs to include OAuth consent screens. Show employees what a real Microsoft consent prompt looks like and stress that they should never approve an application unless they initiated the action. Emphasize that a legitimate request will rarely appear out of the blue.

Revoke Suspicious Tokens Quickly

Leverage PowerShell or the Microsoft Graph API to revoke refresh tokens immediately when a compromise is suspected. The Revoke-AzureADUserAllRefreshToken cmdlet invalidates all refresh tokens for a user, forcing re-authentication. In an incident, this is a critical containment step.

The Bigger Picture

ConsentFix v3 demonstrates the maturation of the phishing economy. Attackers are no longer content with one-time credential harvesting; they seek durable, hard-to-detect access by exploiting the trust we place in OAuth. For Windows and Microsoft 365 users, the message is clear: the consent grant is now the credential. Organizations that treat application consent as a trivial user action will continue to fall victim.

Microsoft’s shift toward a passwordless future, with Entra ID at the center, only raises the stakes. As more organizations adopt phishing-resistant MFA and passkeys, attackers will shift focus to token-based attacks like this one. Defenders must respond by tightening consent policies, embracing continuous monitoring, and treating every OAuth token as a potential backdoor.