Microsoft OAuth potential ConsentFix flow
Description
AlphaSOC detected an OAuth authorization request to Microsoft's identity
platform using a localhost redirect URI, a pattern consistent with the
ConsentFix phishing technique. In a ConsentFix attack, threat actors craft a
malicious OAuth application that uses a localhost redirect to intercept
authorization codes on the victim's machine. The victim is directed to a
legitimate Microsoft consent page where they unknowingly grant access to a
malicious third-party application, resulting in persistent OAuth token access
for the attacker.
Impact
A successful ConsentFix phishing attack grants the attacker persistent OAuth tokens scoped to the victim's Microsoft 365 account, including access to email, files, calendar, Teams, and other connected services. Unlike credential phishing, the attacker does not need the user's password and the access persists through password resets. The attacker can maintain long-term access until the OAuth consent is explicitly revoked by the user or an administrator.
Severity
| Severity | Condition |
|---|---|
Low | Microsoft OAuth request with localhost redirect URI detected |
Investigation and Remediation
Review the OAuth authorization request details including the application ID, requested permission scopes, and the user account involved. Check the Entra enterprise applications list and the user's OAuth consent grants for any suspicious or unfamiliar applications. Revoke consent for any unauthorized applications through the Entra portal. Educate users to recognize and refuse unexpected OAuth consent prompts. Enable the Entra admin consent workflow to require approval for new application registrations.