ConsentFix v3 Runs on Cloudflare, Dropbox, and ZoomInfo
The OAuth phishing kit is plumbed end-to-end through legitimate SaaS, which is exactly the point.
The OAuth phishing kit is plumbed end-to-end through legitimate SaaS, which is exactly the point.
A criminal toolkit posted to the Russian-linked XSS forum has automated an OAuth phishing technique that takes over Microsoft 365 accounts without ever prompting for a password or triggering a multi-factor challenge. ConsentFix v3 was analyzed by Push Security, which on April 23 documented how the kit chains together Cloudflare Workers, ZoomInfo, Dropbox, and Pipedream to handle target identification, lure delivery, and token exchange. BleepingComputer surfaced the research more widely on May 1.
Push has not observed the v3 kit in active campaigns against its customers and assesses it as closer to a red-team proof of concept than an industrialized phishing-as-a-service platform. The technique itself, however, is real and has been observed in the wild since December 2025, when Push said it had linked the original ConsentFix campaign to Russian state-affiliated APT29 — an attribution Push has not corroborated through other vendors.
| Threat Intelligence: ConsentFix v3 — OAuth Phishing Toolkit | |
|---|---|
| Detail | Information |
| Toolkit | ConsentFix v3 |
| Discovered by | Push Security (Dan Green, Threat Research) |
| First posted | XSS criminal forum, April 2026 |
| Underlying technique | OAuth 2.0 authorization code grant abuse against Microsoft first-party apps |
| In-the-wild status (v3) | Not yet observed in customer campaigns |
| Earlier campaign attribution | Push attributes the v1 campaign (Dec 2025) to APT29 (single-source) |
Why ConsentFix Bypasses Microsoft 365 MFA Without Stealing a Password
ConsentFix abuses an OAuth flow designed for native and desktop applications, where the redirect URI points to localhost. The victim is socially engineered into providing a captured authorization code to the attacker's infrastructure, which Pipedream then exchanges for refresh tokens against Microsoft's API and stores for the operator. The end state for the victim is functionally identical to account takeover (ATO) — the attacker holds a valid token that lets them act as the user against Microsoft Graph and Azure Resource Manager.
Because the technique targets Microsoft first-party applications such as Azure CLI, Azure PowerShell, Visual Studio, and Microsoft Teams PowerShell Cmdlets — all pre-trusted in every Entra ID tenant — there is no user-visible consent prompt to refuse. If the victim is already signed into Microsoft in their browser, no credential entry and no MFA challenge is required. Push's earlier debrief identified 11 first-party apps that are both vulnerable to ConsentFix and carry known Conditional Access exclusions.
The v3 kit's documentation walks operators through OAuth grants, consent phishing, refresh tokens, and Family of Client IDs (FOCI) chaining — a Microsoft feature that lets refresh tokens for one application be exchanged for tokens to other applications in the family.
Cloudflare Workers, Dropbox, ZoomInfo, Pipedream: A Lure Stack Built on Trusted SaaS
Passkeys do not protect against ConsentFix because no login is occurring at the moment of attack — the kit hijacks an existing browser session. Microsoft's standard mitigation for the related device code phishing attack, disabling device code flow via Conditional Access, does not apply because ConsentFix uses a different OAuth flow. This is part of the broader rise of OAuth and SSO-targeted social engineering that is forcing defenders to look past the login page — and it follows the same OAuth-abuse playbook documented in the EvilTokens phishing-as-a-service campaign against Microsoft 365 users.
The v3 stack adds a second problem: every component the attacker controls is hosted on a legitimate SaaS provider. Cloudflare Workers serves the lure. ZoomInfo handles target identification. Dropbox hosts the PDF. Pipedream brokers the token exchange. Egress filtering and reputation-based detection all see traffic to vendors the enterprise already trusts.
Defender Actions for Detecting and Blocking ConsentFix
- Inventory Microsoft first-party app exposure using EntraScopes.com (maintained by Fabian Bader and Dirk-jan Mollema). For each vulnerable app, create a Service Principal and restrict authorized users to the narrow set that actually need it — typically admins and developers.
- Enable AADGraphActivityLogs and hunt for IP mismatches between interactive sign-ins and subsequent token use against Microsoft Graph or Azure Resource Manager. The Application IDs to watch are 04b07795-8ddb-461a-bbee-02f9e1bf7b46 (Azure CLI) and 1950a258-227b-4e31-a9cf-717495945fc2 (Azure PowerShell).
- Update phishing awareness training to flag any prompt that asks users to copy, paste, or drag a URL containing localhost between a browser tab and a webpage during or after a Microsoft login. Users have not been trained to recognize this behavior.
- Tie sensitive Conditional Access policies to managed-device state and token binding rather than to MFA alone. ConsentFix succeeds against MFA by working around it.
For broader context on the techniques this kit exploits, see all phishing coverage on The CyberSignal.
The CyberSignal Analysis
Signal 01 — The phishing kit perimeter is now the SaaS perimeter
ConsentFix v3 is what mature OAuth abuse looks like when it stops needing attacker-controlled infrastructure. Cloudflare Workers, Dropbox, Pipedream, and ZoomInfo are each individually defensible business decisions for an enterprise to allow. Together, they form an attack platform that no allowlist will catch. The reputation-based controls that worked when phishing infrastructure was hosted on disposable VPSes do not work when phishing infrastructure is hosted on Cloudflare. The detection signal moves from network telemetry to behavior — what the user does after the click, not where the click went.
Signal 02 — Forum-posted toolkits compress the gap to in-the-wild use
Push's caveat that v3 is not yet industrialized is the right caveat to print today. But the December 2025 v1 campaign that Push linked to APT29 was observed in the wild. The v3 kit codifies, automates, and democratizes that technique — turning a state-aligned operator's tradecraft into a packaged tool that any forum buyer can deploy. The historical pattern with this kind of release is short: weeks, not quarters, between forum publication and observed campaigns. Defenders should prepare on that timeline rather than waiting for the first customer-side detection.
Signal 03 — Phishing-resistant authentication is not a complete answer when the attack skips the login
The standard industry response to credential phishing has been to push organizations toward passkeys, FIDO2, and other phishing-resistant authentication factors. ConsentFix exposes the limit of that strategy: if the attack hijacks an existing authenticated session rather than presenting a counterfeit login, the strength of the original authentication factor is irrelevant. The defensive layer that matters is what binds a token to a device or context — Conditional Access policies tied to managed-device state, token binding, and continuous access evaluation. Organizations that invested in passkeys and stopped there have a gap to close.
