Skip to content

New Microsoft 365 Attacks: ConsentFix and ClickFix Hijack Accounts in Seconds

Modern cybercrime has evolved to be stealthy and manipulative, often relying on our ingrained online habits to gain access to sensitive information. Two recent attacks targeting Microsoft 365 accounts, known as ConsentFix and ClickFix, exemplify this trend by hijacking user sessions in just three seconds.

The Nature of Modern Cybercrime

The defining characteristic of modern cybercrime is its ability to blend into everyday workflows without raising suspicion. Threat actors have mastered the art of injecting convincing lies at critical moments, often relying on our trained reflexiveness to execute malicious commands. This mechanic is at the core of ClickFix attacks, where victims are tricked into pressing a sequence of keyboard shortcuts that paste and execute attacker-supplied commands.

ClickFix: A Sophisticated Attack Vector

ClickFix surged in 2025 and remains active, but attackers have already evolved the concept into something more sophisticated. The attack vector relies on convincing users to press a sequence of keyboard shortcuts, which are then used to execute malicious commands. This approach is particularly effective because it doesn’t require exploiting any vulnerabilities or confronting firewalls.

ConsentFix: A New Variant Targeting Microsoft 365 Sessions

The newer variant, ConsentFix, shifts the attack surface to Microsoft 365’s OAuth consent flows. The setup appears deceptively clean, with a phishing lure arriving through trusted platforms like Dropbox or DocSend. Victims are then asked to complete what looks like a standard Microsoft authentication screen by dragging a localhost callback link into their browser. This drag-and-drop step is the trap, as it surrenders OAuth tokens and hands session access to email and other Microsoft 365 services without requiring a password or MFA bypass.

The Blueprint for ConsentFix is Shared Openly

By early March 2026, a detailed walkthrough of ConsentFix had been posted on a public Russian cybercrime forum. The post included working code, infrastructure screenshots, and a video tutorial showing exactly how to build and deploy the attack. This documentation has significantly lowered the barrier to entry for attackers.

Detection and Awareness are Key

While awareness still plays a crucial role in preventing these attacks, it’s not enough on its own. Defenders also need detection coverage for the traces left behind by these attacks, such as unusual PowerShell activity or new session logins from unexpected locations. Endpoint and identity monitoring can surface these signals before they snowball into full account compromise.

Conclusion

The emergence of ConsentFix and ClickFix highlights the importance of understanding the patterns used by threat actors to hijack user sessions. By recognizing these tactics, defenders can develop more effective strategies for detection and mitigation. As the cybersecurity landscape continues to evolve, it’s essential to stay informed about emerging threats and adapt our defenses accordingly.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *