Microsoft’s Patch Tuesday Disaster + New OAuth Attack Bypasses MFA
Cloud Security Weekly #16 - December 7th - 14th 2025
December’s Patch Tuesday didn’t just patch vulnerabilities, it broke production systems. MSMQ is dead on Server 2016/2019, RADIUS authentication is failing across enterprises, and Server 2025 machines won’t boot after patching. Meanwhile, a new OAuth attack is hijacking Microsoft accounts without touching passwords or MFA, and Microsoft’s own infrastructure stumbled twice this week with multi-hour outages. If you deployed patches blindly on December 9th, you’re probably fighting fires right now.
💡 Adversary Lab Pro: Get a tested Azure/M365 detection playbook monthly. $150/month Learn more below
In This Issue
ConsentFix attack bypasses MFA - New phishing technique hijacks accounts via Azure CLI OAuth flow
Patch Tuesday broke production - MSMQ, RADIUS, and Server 2025 boot failures across enterprises
Azure Government went dark for 3+ hours - Same key rotation mistake Microsoft made in China hours earlier
Microsoft 365 authentication outage - Token generation failure took down Teams, Outlook, OneDrive
No December preview updates - Microsoft skipping non-security patches for the holidays
🔥 What’s Actually Breaking
MSMQ Service Failures (Server 2016/2019) - KB5071543/KB5071544
The Problem: December patches changed NTFS permissions on C:\Windows\System32\msmq\storage without documentation. MSMQ service fails with “insufficient disk space or memory” errors.
Who’s Affected: Windows Server 2016/2019 running Message Queuing. Server 2022 unaffected.
Current Status: Microsoft confirmed the issue on December 11. No fix timeline provided.
Workaround: Uninstall December updates OR manually grant service accounts modify permissions (temporary, not recommended for production).
Source: Microsoft Learn thread, r/sysadmin Patch Tuesday megathread
RADIUS/WiFi Authentication Failures (Server 2019/2022)
The Problem: NPS servers rejecting authentication requests post-patch. Android 802.1x clients can’t connect. EAP handshake errors reported.
Who’s Affected: Environments using Network Policy Server for WiFi/VPN authentication.
Workaround: Uninstall December updates from NPS servers.
Source: r/sysadmin multiple reports
Server 2025 Boot Failures
The Problem: Error 0xc0000098, missing/corrupt vpci.sys. Restore from backup → patch → same failure loop.
Who’s Affected: Windows Server 2025 environments that patched December 9.
Current Status: Microsoft hasn’t acknowledged. Multiple confirmed reports.
Recommendation: Hold Server 2025 patches until resolution.
Source: r/sysadmin Patch Tuesday megathread
PowerShell Breaking Change - CVE-2024-54100
The Problem: Powershell now prompts for security confirmation by default. Will break automation scripts.
Who’s Affected: Any automation using Invoke-WebRequest without - UseBasicParsing flag.
Fix: Add -UseBasicParsing to all Invoke-WebRequest calls.
Source: KB5074596
Other Issues This Week:
WiFi instability on Lenovo laptops with Intel BE200 NICs (WPA2/PEAP)
AppXSvc service stopping unexpectedly (Server 2025, Win11 24H2/25H2)
VMware Horizon black screen issues (Win11 24H2 + FSLogix)
📰 Official Announcements
Security Alerts
ConsentFix Attack - OAuth Account Hijacking
What’s new:
Phishing attack hijacks Microsoft accounts via Azure CLI OAuth flow
Bypasses passwords, MFA, and phishing-resistant auth (passkeys)
Browser-only attack—no endpoint interaction, no credential entry
Azure CLI is first-party Microsoft app—cannot be blocked or deleted from tenant
Attack flow: User lands on compromised site → fake Cloudflare CAPTCHA filters targets → legitimate Microsoft login opens → user copies localhost URL (contains OAuth code) → pastes into attacker page → full account access via Azure CLI
Detection (from Push Security research):
Hunt Azure CLI logins for Application ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46:
Suspicious: Resource = 00000002-0000-0000-c000-000000000000 (Windows Azure Active Directory)
Legitimate: Resource = “Azure Resource Manager”
Alert on Azure CLI use outside admin/developer roles
Post-compromise: non-interactive logins from unusual IPs (observed: US, Indonesia)
Critical requirement:
Enable AADGraphActivityLogs - Attackers use legacy scopes to evade standard logging
Known IoCs:
Domains: trustpointassurance.com, fastwaycheck.com, previewcentral.com
IPs: 12.75.216.90, 182.3.36.223, 12.75.116.137
What it doesn’t address:
No way to block Azure CLI (first-party app with implicit trust)
User education has limited effectiveness
Traditional phishing controls irrelevant (delivered via Google Search, no creds phished)
Links: Push Security research, BleepingComputer
December 2025 Patch Tuesday | December 9th 2025
What’s new:
72 CVEs patched (16 Critical, 54 Important)
1 zero-day actively exploited: CVE-2024-49138 (Windows Common Log File System Driver)
Critical LDAP RCE: CVE-2024-49112 (CVSS 9.8)
Critical Hyper-V RCE: CVE-2024-49117 (guest-to-host breakout)
What this means in practice:
CVE-2024-49138 (CLFS zero-day):
Elevation of privilege to SYSTEM
Publicly known and actively exploited
CISA KEV deadline: December 31, 2024
Likely being paired with code execution bugs in ransomware attacks
CVE-2024-49112 (LDAP RCE):
Allows remote, unauthenticated attackers to exploit Domain Controllers
Code execution at LDAP service level (elevated but not SYSTEM)
Microsoft’s mitigation: “Disconnect Domain Controllers from the internet” (not practical)
What it doesn’t do:
Doesn’t fix the production issues listed in “What’s Breaking” section
Microsoft introduced new bugs while fixing old ones
Links: Security Update Guide, Zero Day Initiative analysis
Azure Government Outage | December 8, 2025
What happened:
3+ hour outage (11:04-14:13 EST)
Azure Resource Manager (ARM) completely unavailable
All Azure Government regions affected
Azure Portal, REST APIs, PowerShell, CLI all broken
Root cause:
Inadvertent automated key rotation on Cosmos DB account that should have been manual
ARM couldn’t fetch authorization policies from Cosmos DB
Same mistake occurred in Azure China 3 hours earlier
Microsoft rotated Azure Gov keys BEFORE fixing China issue
What this means in practice:
Classic “didn’t learn from first failure” scenario. Government contractors and federal agencies couldn’t manage ANY Azure resources for 3+ hours.
What Microsoft is doing:
Completed audit of other manual keys
Proper auto-rotation framework: ETA February 2026
Cosmos DB team adding change safety controls
Link: Azure Status History PIR
Microsoft 365 Authentication Outage | December 10, 2025
What happened:
Token generation issue in authentication infrastructure
Teams, Outlook, OneDrive, Office web apps affected
~2 hour duration
Root cause:
Service change introduced issue with token expiry time identification
Desktop apps remained functional
Workaround: Use desktop apps instead of web
Link: Multiple web reports, Microsoft 365 Status tweets
Microsoft Fabric Reliability Crisis | Ongoing
What Brent Ozar found:
Security practitioners need to know: Microsoft Fabric’s status page is unreliable.
The pattern:
181 incidents tracked by IsDown since November 2024
289 outages over 2+ years (StatusGator)
Status page shows “all green” during actual outages
12+ hour overnight outages with delayed status updates
No outage history published (unlike Azure)
No SLA exists for Fabric
What this means in practice:
Admins troubleshoot thinking it’s their configuration problem, not realizing the platform is down. Microsoft uses misleading statistics in post-mortems (total subscriber base vs. actually affected population) and underreports outage durations.
Quote from Brent Ozar: “Fabric’s status page is fabricated bullshit”
Recent December issues:
Git integration 403 errors
Workspace GUI latency
Warehouse endpoint connectivity failures
Power BI outages across regions
Links: Brent Ozar blog, StatusGator tracking, IsDown monitoring
📋 What You Should Actually Do This Week
🚨 CRITICAL (December 31, 2024):
Patch CVE-2024-49138 (CLFS zero-day) - CISA KEV deadline. Actively exploited. All supported Windows versions affected.
⚠️ HIGH PRIORITY (This Week):
Enable AADGraphActivityLogs if not already active - Required to detect ConsentFix post-compromise activity (legacy scope abuse)
Hunt for suspicious Azure CLI logins - Query for Application ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 outside admin/developer groups
Check for ConsentFix IoC IPs in Azure logs - 12.75.216.90, 182.3.36.223, 12.75.116.137
Test December patches in isolated environment BEFORE deploying - MSMQ, RADIUS, and Server 2025 boot failures confirmed
If already deployed: Check MSMQ and NPS servers - Verify services are running. Have rollback plan ready.
Update PowerShell automation scripts - Add -UseBasicParsing flag to all Invoke-WebRequest calls
📋 MEDIUM PRIORITY (Before Month-End):
Review Azure CLI usage patterns - Establish baseline for legitimate admin/developer use vs. unexpected accounts
Evaluate patching strategy for critical servers - December showed the risk of blind deployment
Review LDAP exposure on Domain Controllers - CVE-2024-49112 requires network access to DC
Test Hyper-V patches - CVE-2024-49117 affects guest-to-host isolation
🔍 LOW PRIORITY (Nice to Have):
Document ConsentFix attack for user awareness - Limited effectiveness but worth including in security training
Review Fabric status monitoring approach - If using Fabric, don’t rely on Microsoft’s status page alone
🔮 Looking Ahead
Patch Tuesday Schedule:
Next Patch Tuesday: January 14, 2026
Note: No December non-security preview update (Microsoft holiday operations)
Key Dates:
December 31, 2024: CISA KEV deadline for CVE-2024-49138
💡 When the Alert Fires, Do You Have the Playbook?
You get the alert: “Suspicious Azure CLI authentication from non-admin account.”
Do you know which tables to query? What normal vs. malicious looks like? How to scope the compromise?
Adversary Lab Pro: Production-grade detection playbook delivered monthly.
Each playbook includes KQL queries that work, investigation workflows tested in production, and response procedures you can hand to junior analysts.
$150/month
Built by a SecOps engineer who debugs these alerts in production.
📚 About Cloud Security Weekly
Microsoft Azure security news, threat intelligence, and product updates. Every article is verified, dated, and sourced.
📤 Know someone who needs this? Forward this email or share: [Substack URL]
Connect: LinkedIn | Adversary Lab
Created by: Charles Garrett
SecOps Engineer | Weekly Microsoft security news + monthly Azure and M365 detection playbooks
See you next week! 👋