microsoft-365 - TrustStrike Labs

threat

2026-05-02

New 'ConsentFix v3' attack lets criminals take over Microsoft 365 accounts even when MFA and passkeys are turned on

Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.

consentfix oauth azure microsoft-365 entra-id push-security mfa-bypass passkey-bypass first-party-apps cloudflare-pages pipedream

Check: Brief any Microsoft 365 admin or developer that any 'verification step' that asks them to paste a URL containing 'localhost' into a webpage is hostile, no matter how legitimate the page looks.
Affected: Any Microsoft 365 / Entra ID tenant. The attack bypasses MFA, passkeys, and most Conditional Access policies by abusing pre-consented Microsoft first-party apps. Acute risk for organizations whose admins, developers, or DevOps engineers regularly use Azure CLI - those users won't suspect a fake Azure CLI authorization page. Cloudflare Pages and Pipedream both look legitimate in network telemetry.
Fix: Apply token binding to trusted devices and require Conditional Access for first-party Microsoft apps where possible. Hunt Azure sign-in logs for Azure CLI authentications from unfamiliar IPs, especially against accounts that don't normally use it. Train developers to verify out-of-band any 'verification step' that asks them to paste URLs into a webpage. Use app authentication restrictions to limit which first-party apps can issue refresh tokens.

defense

2026-04-13

FBI and Indonesian police dismantle W3LL phishing platform that powered business email compromise attacks worldwide

The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.

w3ll phishing microsoft-365 bec aitm mfa-bypass law-enforcement fbi

Check: Review your Microsoft 365 security configuration. W3LL's kit was specifically designed to bypass standard MFA on M365 - organizations relying solely on push notification or SMS-based MFA for M365 were the primary targets.
Affected: Organizations using Microsoft 365 with standard MFA (push notifications, SMS codes, or authenticator app approval prompts). W3LL's AiTM technique proxied real login pages to intercept session tokens after MFA completion.
Fix: Deploy phishing-resistant MFA for Microsoft 365 - FIDO2 security keys or Windows Hello for Business are resistant to AiTM attacks. Enable conditional access policies that evaluate sign-in risk, device compliance, and location. Monitor for suspicious mailbox rules (forwarding, deletion rules) which are the first post-compromise action in BEC campaigns. The W3LL takedown disrupts one platform, but the AiTM phishing technique is now widely adopted by other kits.