THE article describes ConsentFix (also called AuthCodeFix), a phishing technique that bypasses MFA by abusing the OAuth 2.0 flow used by legitimate tools such as Azure CLI. Analyzed by Stamatis Chatzimangou of NVISO’s Threat Detection Engineering team, the approach steals a pre-approved authorization code to obtain an access token and bypass Conditional Access.
The attack begins with a phishing page, but the victim is redirected to a legitimate Microsoft login to authorise an app, often Azure CLI, which is implicitly trusted by Entra ID, so the consent prompt can be skipped. The trap relies on the victim being told to copy and paste a URL containing the authorization code back into the phishing site after a localhost error, enabling the attacker to exchange the code for an access token on their own machine.
This exchange grants access with the same permissions as the spoofed application, effectively sidestepping security controls and allowing tokens from non-compliant devices or untrusted locations.
The report notes that Azure CLI is one of several first‑party applications affected, with other examples including Microsoft Azure PowerShell, Visual Studio Code, Microsoft Teams and Microsoft SharePoint Online Management Shell, and it highlights how investigators can hunt for the activity in AADNonInteractiveUserSignInLogs by correlating initial sign-ins with subsequent token exchanges. The piece was published on 2 February 2026.