Introduction to ConsentFix
ConsentFix is a new attack technique that has gained significant attention from the security community in a short span of time. It exploits the OAuth protocol to gain unauthorized access to cloud environments.
How ConsentFix Works
ConsentFix uses a phishing page to trick victims into verifying their humanity by pasting a URL. This allows attackers to leverage legacy scopes and evade detection. The attack exploits default Microsoft security configs and can be used to target various apps, including Microsoft SharePoint Online Management Shell.
Vulnerable Apps and Scopes
There are 11 apps vulnerable to ConsentFix, including Microsoft SharePoint Online Management Shell. These apps have known Conditional Access policy exclusions, making them susceptible to the attack.
Detection and Prevention
To detect and prevent ConsentFix attacks, it's essential to hunt for specific Application IDs and Resource IDs in logs. Creating Service Principals for vulnerable apps and restricting user access can also reduce the attack surface.
Protection with Push
Push is a security solution that can detect and block browser-based attacks like ConsentFix in real-time. It stops attacks like AiTM phishing, credential stuffing, and session hijacking, providing an additional layer of protection for cloud environments.