While many of us are easing into the new year, attackers are not. Just before year’s end, #ConsentFix emerged, a clever #OAuth-based attack that abuses legitimate authentication flows to steal authorization codes and effectively hand attackers the keys to #MicrosoftEntra. For us, the year didn’t simply stop. Fabian Bader, Christopher Brumm and Thomas Naunheim took a closer look at why this attack works despite Conditional Access, which signals it leaves behind in the logs, and how defenders can detect and mitigate it before real damage is done. Full analysis & detections: 👉 https://lnkd.in/dgee_hie
Hi glueckkanja AG Fabian Bader Thanks for sharing this, really valuable insight. I have a follow-up question: Does this attack path also bypass Entra ID Protection policies such as Sign-in risk or User risk? These detections often rely on signals like atypical or impossible travel when the IP/location changes significantly within a short time window. In a scenario where the attacker signs in only minutes after the legitimate user, from a different location, would you still expect Entra ID Protection to trigger these risk detections, or does the technique effectively avoid them as well?
Topaz Hurvitz
4mo
It’s frustrating how these OAuth attacks slide right past Conditional Access because the flow looks technically valid. We battled a similar issue recently where the only red flag was a mismatch in the token exchange IP. You have to correlate those sign-in logs aggressively to catch the code theft in motion.
Maarten de Vries
4mo
Great article! I really like how clearly it outlines practical and extensive ways to protect an organization against ConsentFix.
Sebastian Schuck
4mo
Great article, thanks for the summary 😍
David Caddick
5mo
Thanks for sharing Fabian Bader, heads up folks this is worthy of review
Thanks for the article, nice research and writeup. Nevertheless, I'm a little bit confused that both this article and the Push Security blog on the same topic, do not mention PKCE. Azure CLI will definitely generate code_verifier and code_challenge for the authorization code flow. On the screenshots we can see that Entra ID is accepting Azure CLI logins without PKCE. Note that it is not hard for the attacker to generate code_verifier, generate authorization URL for the user that includes the code_challenge and finally redeem the access token with the help of the code_verifier. Having an authorization flow without PKCE for Azure CLI is a strong indicator that something bad is going on. What I'm not sure is if the method is available in the logs in order to filter out those records.