Predictions for ConsentFix
Based on the speed at which new iterations on the ConsentFix technique were shared by security researchers, and the breadth of apps and possible scopes that can be leveraged, both red teams and criminals will inevitably adopt ConsentFix into their arsenal of TTPs in the near future.
It is likely that new ConsentFix variants will emerge imminently (if not already in circulation).
All security teams responsible for protecting Microsoft environments should ensure that monitoring controls and mitigations are put in place as a matter of high priority.
Updated recommendations for security teams
As an entirely browser-native attack technique, many traditional security tools and data sources are of limited use when it comes to detecting or pre-emptively blocking this attack. At the same time, the attack exploits default Microsoft security configs to evade both prevention and detection controls.
To be able to tackle modern attacks like ConsentFix that occur entirely within the browser context, it is vital that organizations look to monitor the browser as a detection surface, hunt for signs of malicious activity, and block attacks in real-time — in the same way that you would expect EDR to work for endpoint attacks.
For organizations relying on Microsoft logging as the sole line of defense against this attack, there are some new recommendations to add to the list thanks to the community response:
-
Ensure that logging for the deprecated AADGraphActivityLogs is enabled.
-
Hunt in logs for the Application IDs highlighted above, along with the Resource IDs for Windows Azure Active Directory (00000002-0000-0000-c000-000000000000) and Microsoft Intune Checkin (26a4ae64-5862-427f-a9b0-044e62572a4f)
-
Create Service Principals for each of the vulnerable apps and restrict the users that are authorized to access them to reduce the attack surface of users that can be phished with this method.
-
Block access to CLI tools via Conditional Access policy and issue exclusions for authorized users/groups.
Additional resources that may be of use include community-created Elastic detection rules for ConsentFix and further mitigation and hunting guidance from Glueck Kanja.
Learn more about Push Security
Even though this was a brand new technique, Push intercepted the attack and shut it down before customers could interact with it.
Push detects browser-based attacks using behavioral threat detection controls, powered by deep browser telemetry, to provide broad detection and blocking capabilities against attacks happening in the browser. This means analyzing the end-to-end process of a webpage loading/running in the browser, and how the user interacts with the page, to spot universal indicators of bad activity.
This is the only reliable way to detect malicious websites in a world where IoC-based detections are trivial for attackers to get around. Rather than playing known-bad whac-a-mole, Push detects and blocks even zero-day browser threats in real time.
Push stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, ConsentFix, and session hijacking.
You don’t need to wait until it all goes wrong either — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.
To learn more about Push, check out our latest product overview or book some time with one of our team for a live demo.
Sponsored and written by Push Security.