A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums as an improved technique that automates attacks against Microsoft Azure. The first version of ConsentFix was presented by Push Security last December as a variation of ClickFix for OAuth phishing attacks, which tricks victims into completing a legitimate Microsoft login flow via the Azure CLI. Using social engineering, the attacker fooled victims into pasting a localhost URL containing an OAuth authorization code that can be used to obtain tokens and hijack the account without passwords, despite multi-factor authentication (MFA). ConsentFix v2 was developed by researcher John Hammond as a refined version of Push’s original, replacing manual copy/paste with drag-and-drop of the localhost URL, making the phishing flow smoother and more convincing. ConsentFix v3 preserves the core idea of abusing the OAuth2 authorization code flow and targeting first-party Microsoft apps that are pre-trusted and pre-consented. However, it brings an improvement by incorporating automation and scalability. According to information retrieved from hacker forums where the new technique is promoted, the attack begins by verifying the presence of Azure in the target environment by checking for valid tenant IDs. This is followed by gathering employee details such as names, roles, and email addresses to support impersonation.