Researchers at Push Security have observed a new variant of the ClickFix attack that combines “OAuth consent phishing with a ClickFix-style user prompt that leads to account compromise.”
The technique, which the researchers call “ConsentFix,” tricks victims into copying and pasting a localhost URL containing an authorization token, then pasting it into a phishing page.
“Authorization code flow is an OAuth 2.0 protocol for web applications to get a user's permission to access protected resources,” the researchers explain.
“When using the authorization code flow to connect an app, it combines the code with an OAuth secret held by the app in exchange for a token (the valuable part). However, some apps can’t protect a secret — for example, apps that run on your mobile device or desktop. In this case, the code alone is enough to generate an OAuth token, without the secret — which is what is being exploited here.”
In the attacks observed by Push Security, the threat actors abused the Azure CLI OAuth app to target Microsoft accounts.
“Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL (including the code) into an attacker-controlled page,” the researchers write. “This then creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance.”
Push Security points out that these attacks are very difficult to block, since they rely on legitimate tools and social engineering tactics:
- “The attack happens entirely inside the browser context, removing one of the key detection opportunities for ClickFix (because it doesn’t touch the endpoint).
- “Delivering the lure via a Google Search watering hole attack completely circumvents email-based anti-phishing controls.
- “Targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations do not apply — making this attack way harder to prevent.
- “Because there’s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Research from Push Security on a new variant of ClickFix attacks.
Here's how it works:
