ConsentFix: A New way to Phish for Tokens

This report reproduces and analyses the 'ConsentFix' phishing technique where users are tricked into copying a localhost OAuth redirect URL containing an authorization code; the attacker captures the code, exchanges it for access and refresh tokens (targeting Azure/Azure CLI), and uses those tokens to access Azure resources. The author documents telemetry observed in Entra/SignIn logs (interactive PRT-bound vs non-interactive unbound sessions), highlights Conditional Access/device-correlation shortcomings, and proposes several detection hunts (e.g., token binding flips with IP changes, first-time Azure CLI authentications, and proxy URL matches for localhost redirects).