⚠️ THREAT ALERT: The New Phishing Click: How OAuth Consent Bypasses MFA
The campaign leverages a crafted OAuth2 authorization request that omits the “prompt=login” parameter, forcing the identity provider to present a consent screen instead of a credential challenge. By embedding a maliciously‑registered redirect URI (e.g., https://attacker.com/callback) within the “client_id” payload, the phishing page silently initiates the consent flow after the victim has already completed a MFA‑protected login session. The consent screen, which is traditionally considered low‑risk, can be spoofed using the same branding as the legitimate service, causing the user to approve the “offline_access” scope inadvertently. This approval yields a refresh token that bypasses subsequent MFA checks because refresh token flows are not subject to re‑authentication, effectively granting the attacker persistent, token‑based access without ever prompting for a second factor.
The technique exploits ambiguities in the OAuth2/OpenID Connect specifications and has been observed in the wild targeting providers that implement the “consent” endpoint without enforcing MFA re‑verification for token refreshes. Notable CVEs linked to this vector include CVE‑2023‑45557 (Microsoft Azure AD consent bypass) and CVE‑2024‑1121 (Google Identity Platform missing prompt enforcement), both of which allow an attacker to obtain long‑lived access tokens by manipulating the “approval_prompt” parameter. Additionally, the abuse of the “response_type=code token” hybrid flow in conjunction with the “code_challenge” omission can further reduce the cryptographic binding of the authorization code, facilitating token replay attacks on services that do not validate PKCE.
Mitigation requires a defense‑in‑depth approach: first, enforce mandatory MFA at the consent stage by configuring the identity provider to set “prompt=login” for any request that includes privileged scopes (e.g., “admin:read”, “offline_access”). Second, implement strict redirect‑URI whitelisting and tenant‑level registration policies to prevent attacker‑controlled endpoints from being accepted. Third, enable conditional access policies that flag consent grants originating from sessions that have not recently performed MFA, and deploy anomaly‑based detection to monitor for abnormal refresh‑token issuance patterns. Finally, organizations should patch the identified CVEs, enforce PKCE for all public clients, and regularly audit client registrations for unnecessary scopes that could be leveraged in consent‑bypass scenarios.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments