ConsentFix (a.k.a. AuthCodeFix): Detecting OAuth2 Authorization Code Phishing

ConsentFix (AuthCodeFix) is an OAuth2 authorization-code phishing technique that social-engineers victims into providing localhost redirect URLs containing authorization codes; attackers then exchange those codes for access tokens to gain access to Microsoft accounts. The report explains the mechanics, lists vulnerable first-party Microsoft applications and their app IDs, gives step-by-step replication instructions (victim and adversary), provides a KQL detection/hunting query correlating interactive and non-interactive sign-ins, and recommends mitigations such as service principal user-assignment, Conditional Access restrictions, and token protection.