A significant evolution in cloud intrusion tactics has emerged with the release of ConsentFix v3. Circulating on underground hacker forums, this tool automates what was previously a manual process: OAuth abuse via illicit consent grants.
For defenders, this represents a critical shift in the threat landscape. ConsentFix v3 allows threat actors to operate at scale, targeting Microsoft Entra ID (formerly Azure AD) to register malicious multi-tenant applications and automate the harvesting of user consent. This bypasses traditional controls like Multi-Factor Authentication (MFA) because the attack leverages the OAuth protocol itself—once a user clicks "Accept," the attacker possesses a valid, privileged access token.
Given the automated nature of this campaign, security teams must move beyond basic phishing awareness and implement technical controls to detect and block rogue application registrations and high-risk consent grants immediately.
Technical Analysis
Affected Platform
- Microsoft Entra ID (Azure Active Directory)
Attack Mechanics
ConsentFix v3 operationalizes the "Illicit Consent Grant" attack technique (MITRE T1528). The attack chain typically unfolds as follows:
- Application Registration: The attacker uses automated scripts to register a malicious multi-tenant application in Azure AD. This app often masquerades as a legitimate service (e.g., document viewer or productivity tool).
- Permission Request: The application requests high-risk permissions, such as
Sites.Read.All,User.Read.All,Mail.Read, orMail.ReadWrite. These permissions allow access to sensitive data in SharePoint, OneDrive, and Exchange Online. - Automated Consent Phishing: Unlike v1 and v2, which required manual user interaction, v3 automates the delivery of consent prompts. This may involve bulk email campaigns or compromising existing sessions to trigger consent flows programmatically.
- Token Harvesting: Once a user or administrator consents, the service principal is created in the tenant. The attacker then uses the granted permissions to acquire refresh and access tokens, establishing persistent access that persists even after password resets or MFA changes.
Exploitation Status
- Active In-The-Wild: Yes. ConsentFix v3 is currently being distributed and utilized by initial access brokers and ransomware operators.
- CISA KEV: Not yet listed, but the underlying technique (OAuth abuse) is a top priority for cloud security.
Detection & Response
SIGMA Rules
---
title: Azure AD High-Risk OAuth Consent Granted
id: 8f4d9e21-7a6c-4b3d-9c1e-2f5a8b9c0d1e
status: experimental
description: Detects when a user consents to an application requesting high-risk permissions, indicative of ConsentFix or illicit consent grants.
references:
- https://attack.mitre.org/techniques/T1528/
author: Security Arsenal
date: 2025/02/18
tags:
- attack.initial_access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName|contains: 'Consent to application'
filter_high_risk:
TargetResources|contains:
- 'User.Read.All'
- 'Mail.Read.All'
- 'Mail.ReadWrite'
- 'Sites.Read.All'
- 'Files.Read.All'
- 'RoleManagement.ReadWrite.Directory'
condition: selection and filter_high_risk
falsepositives:
- Legitimate application registration by authorized administrators
level: high
---
title: Azure AD Service Principal Created via Risky Multi-Tenant App
id: 7c3e1a99-5b8d-4e2f-9a0b-1e4d5c6f7a8b
status: experimental
description: Detects the addition of a service principal from a multi-enant application, often used in ConsentFix automation.
references:
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/audit-log-activity-reference
author: Security Arsenal
date: 2025/02/18
tags:
- attack.persistence
- attack.t1136.003
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName|contains:
- 'Add service principal'
- 'Add appRoleAssignment to service principal'
filter_context:
InitiatedBy|contains: 'Admin' # Filter out known admin accounts as noise reduction if needed, otherwise omit to catch all
# Note: ConsentsFix v3 often creates SPs. We look for the 'Added' event.
condition: selection
falsepositives:
- Installation of legitimate SaaS applications by IT staff
level: medium
KQL (Microsoft Sentinel)
// Hunt for high-risk OAuth consent grants
AuditLogs
| where OperationName == "Consent to application"
| extend TargetApp = TargetResources[0].displayName
| extend Permissions = TargetResources[0].modifiedProperties
| mv-apply Permissions on
(where Permissions.displayName == "ConsentAction.Permissions")
| extend GrantedPermissions = tostring(Permissions.newValue)
| where GrantedPermissions has "User.Read.All"
or GrantedPermissions has "Mail.Read.All"
or GrantedPermissions has "Sites.Read.All"
or GrantedPermissions has "Files.Read.All"
| project TimeGenerated, Caller, CallerIpAddress, TargetApp, GrantedPermissions, Result
| order by TimeGenerated desc
Velociraptor VQL
-- Hunt for PowerShell processes utilizing Azure AD modules to register apps or consent
-- This detects the local execution of ConsentFix automation scripts on endpoints.
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'powershell.exe'
AND (
CommandLine =~ 'Connect-AzureAD'
OR CommandLine =~ 'New-AzureADApplication'
OR CommandLine =~ 'Add-AzureADServicePrincipal'
OR CommandLine =~ 'Microsoft.Graph'
)
AND CommandLine !~ '@'
-- Filter out common internal scripts to reduce noise
Remediation Script (PowerShell)
# Requires Microsoft.Graph PowerShell module installed
# Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
# Step 1: Disable user consent for all apps (Prevent ConsentFix v3 success)
$Params = @{
PermissionGrantPolicyIdsAssignedToDefaultUserRole = @()
}
Update-MgPolicyAuthorizationPolicy -AuthorizationPolicyId $authorizationPolicyId -BodyParameter $Params
Write-Host "[+] User consent has been disabled. Users can no longer grant permissions to apps."
# Step 2: Identify Service Principals with high-risk permissions added recently
$HighRiskPerms = @('User.Read.All', 'Mail.Read.All', 'Sites.Read.All', 'RoleManagement.ReadWrite.Directory')
$DateCutoff = (Get-Date).AddDays(-30)
Get-MgServicePrincipal -All | Where-Object {
$_.AppRoles | Where-Object { $_.AllowedMemberTypes -contains 'User' -and $_.DisplayName -in $HighRiskPerms }
} | ForEach-Object {
Write-Host "[!] Reviewing High-Risk Service Principal: $($_.DisplayName) (AppId: $($_.AppId))"
# Note: Manually review output before deletion.
}
Write-Host "[!] Review listed Service Principals. Remove malicious ones using: Remove-MgServicePrincipal -ServicePrincipalId <ID>"
Remediation
-
Disable User Consent: The most effective mitigation against ConsentFix v3 is to prevent users from consenting to applications. Configure the User consent settings in Entra ID to "Do not allow user consent" for all applications. This forces all requests to go through administrator review.
-
Configure Consent Governence: If business operations require user consent, restrict it to applications published by verified publishers only. Do not allow consent for multi-tenant apps from unverified publishers.
-
Audit Service Principals: Immediately audit all Service Principals in your directory. Focus on those created recently (last 30-60 days) with
Sites.Read.All,Mail.Read, orUser.Readpermissions. Revoke credentials for any unknown or unapproved SPs. -
Block Unverified Publishers: In the Microsoft Entra admin center, navigate to Enterprise applications > Consent and permissions > User consent settings and configure the "Consent to apps from unverified publishers" setting to "Block consent".
-
Conditional Access (CA): Implement Conditional Access policies that require device compliance or specific locations for accessing sensitive data (SharePoint Online, Exchange Online). This limits the utility of stolen OAuth tokens accessed from unknown locations.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.