When you hear the term hacked, you immediately think that someone got hold of your user id and password to do so. You would likely be surprised to learn that it is possible to get hacked without giving up your password. That's what the ConsentFix attack does to your account. When I first read about this on BleepingComputer, I was floored and had to read it again. The attack is clever, sneaky, and really terrifying.
ConsentFix tricks you into clicking on a fake, yet realistic, website. The fake websites are frequently shown as the first few results when searched for on Google, which gives you the impression that they are safe when you first encounter them.
You typically end up at a compromised site, where:
Once you paste it onto the page, attackers can capture the code and log you in using the Azure Command Line Interface (CLI), which is a legitimate tool used by Microsoft. You won't need a password and you won't receive an MFA prompt. You will simply have access to your Azure account.
Azure CLI permissions are already very high within many organizations. Moreover, many organizations' administrators have limited ability to stop or remove Azure CLI from their organization, making it easy for an attacker to access email, files or cloud resources without setting off any alarms.
What is ConsentFix attack
It is a phishing attack that is able to take over an account without the use of stolen passwords or MFA codes. Even the security provided by two-factor authentication will not protect you from this attack.ConsentFix tricks you into clicking on a fake, yet realistic, website. The fake websites are frequently shown as the first few results when searched for on Google, which gives you the impression that they are safe when you first encounter them.
You typically end up at a compromised site, where:
- A "fake" CAPTCHA will request your work email address.
- Afterward, you will see a "Sign In With Microsoft" button.
- When you click the button, Microsoft opens a legitimate login page on the Azure website.
- If you're already logged in to Microsoft, a special login code will automatically be generated.
So how does the attack happen?
The fake site instructs you to copy a long URL and paste it back onto the page, which contains the hidden login code.Once you paste it onto the page, attackers can capture the code and log you in using the Azure Command Line Interface (CLI), which is a legitimate tool used by Microsoft. You won't need a password and you won't receive an MFA prompt. You will simply have access to your Azure account.
What's the issue with this?
Azure CLI permissions are already very high within many organizations. Moreover, many organizations' administrators have limited ability to stop or remove Azure CLI from their organization, making it easy for an attacker to access email, files or cloud resources without setting off any alarms.
