Modern cybercrime has evolved to be stealthy and manipulative, often relying on our ingrained online habits to gain access to sensitive information. Two recent attacks targeting Microsoft 365 accounts, known as ConsentFix and ClickFix, exemplify this trend by hijacking user sessions in just three seconds.
The Nature of Modern Cybercrime
The defining characteristic of modern cybercrime is its ability to blend into everyday workflows without raising suspicion. Threat actors have mastered the art of injecting convincing lies at critical moments, often relying on our trained reflexiveness to execute malicious commands. This mechanic is at the core of ClickFix attacks, where victims are tricked into pressing a sequence of keyboard shortcuts that paste and execute attacker-supplied commands.
ClickFix: A Sophisticated Attack Vector
ClickFix surged in 2025 and remains active, but attackers have already evolved the concept into something more sophisticated. The attack vector relies on convincing users to press a sequence of keyboard shortcuts, which are then used to execute malicious commands. This approach is particularly effective because it doesn’t require exploiting any vulnerabilities or confronting firewalls.
ConsentFix: A New Variant Targeting Microsoft 365 Sessions
The newer variant, ConsentFix, shifts the attack surface to Microsoft 365’s OAuth consent flows. The setup appears deceptively clean, with a phishing lure arriving through trusted platforms like Dropbox or DocSend. Victims are then asked to complete what looks like a standard Microsoft authentication screen by dragging a localhost callback link into their browser. This drag-and-drop step is the trap, as it surrenders OAuth tokens and hands session access to email and other Microsoft 365 services without requiring a password or MFA bypass.
The Blueprint for ConsentFix is Shared Openly
By early March 2026, a detailed walkthrough of ConsentFix had been posted on a public Russian cybercrime forum. The post included working code, infrastructure screenshots, and a video tutorial showing exactly how to build and deploy the attack. This documentation has significantly lowered the barrier to entry for attackers.
Detection and Awareness are Key
While awareness still plays a crucial role in preventing these attacks, it’s not enough on its own. Defenders also need detection coverage for the traces left behind by these attacks, such as unusual PowerShell activity or new session logins from unexpected locations. Endpoint and identity monitoring can surface these signals before they snowball into full account compromise.
Conclusion
The emergence of ConsentFix and ClickFix highlights the importance of understanding the patterns used by threat actors to hijack user sessions. By recognizing these tactics, defenders can develop more effective strategies for detection and mitigation. As the cybersecurity landscape continues to evolve, it’s essential to stay informed about emerging threats and adapt our defenses accordingly.
Source: Original article