ConsentFix and ClickFix: New Attack Chains Hijack Microsoft 365 Accounts in Seconds
Attackers are exploiting user habits and Microsoft 365's OAuth consent flows to hijack accounts in mere seconds, bypassing MFA protections.

Modern cyber threats are increasingly subtle, eschewing brute-force methods for stealthy infiltration into everyday workflows. The latest attack chains, dubbed ConsentFix and ClickFix, exemplify this trend by transforming routine user actions into pathways for immediate Microsoft 365 account compromise.
ClickFix attacks leverage ingrained user habits, tricking victims into executing attacker-supplied commands by following seemingly innocuous keyboard shortcut instructions. This method bypasses traditional vulnerability exploits and firewall defenses, relying instead on social engineering and the user's own machine to execute malicious code. While ClickFix has been active, attackers have already evolved the concept into more sophisticated variants.
The newer ConsentFix variant targets Microsoft 365's OAuth consent flows, the familiar sign-in prompts users often navigate without deep scrutiny. Attackers use phishing lures, sometimes delivered through trusted platforms and password-protected documents to evade security tooling. The victim encounters a legitimate-looking Microsoft authentication screen and is instructed to drag a localhost callback link into their browser.
This drag-and-drop action is the critical trap. Instead of completing a standard authentication, the user unknowingly surrenders OAuth tokens. This grants attackers immediate session access to email and other Microsoft 365 services, effectively bypassing password and multi-factor authentication (MFA) requirements. The compromise occurs through the manipulation of a legitimate-looking authentication flow, rather than by stealing credentials directly.
Compounding the threat, the blueprint for ConsentFix has been openly shared on cybercrime forums, complete with working code, infrastructure details, and video tutorials. This significantly lowers the barrier to entry for threat actors, transforming a technically demanding technique into a readily available exploit kit.
Attackers are also adept at reconnaissance, using tools like LinkedIn to profile targets and tailor phishing lures to specific individuals and organizations. This personalized approach increases the likelihood of a successful attack by making the initial phishing message appear more legitimate and relevant.
While user awareness remains a crucial defense layer, these attacks are specifically designed to appear routine, making them difficult to spot. Defenders must implement robust endpoint and identity monitoring to detect the subtle traces left by these attacks, such as unusual PowerShell activity or unexpected session logins. Early detection of these signals is vital to prevent a minor lapse in judgment from escalating into a full account takeover.
The ongoing evolution of these attack vectors underscores the need for continuous adaptation in security strategies. By understanding the pattern of attackers interrupting normal workflows and leveraging user habits, organizations can better fortify their defenses against these sophisticated, rapid account hijacking techniques.