Cyberattackers have developed a new tactic that allows them to hijack Microsoft 365 accounts in as little as three seconds, using a technique called ConsentFix. This method exploits the trust users place in legitimate-looking authentication screens, making it difficult for even the most vigilant individuals to detect.
The attack begins with a phishing lure sent through trusted platforms such as Dropbox or DocSend. The victim is then directed to what appears to be a standard Microsoft authentication screen, where they are asked to complete the process by dragging a localhost callback link into their browser. This seemingly innocuous action actually surrenders OAuth tokens, granting the attacker session access to email and other Microsoft 365 services without requiring a password or multifactor authentication (MFA) bypass.
The beauty of ConsentFix lies in its ability to masquerade as legitimate behavior. Unlike traditional phishing attacks that rely on exploiting vulnerabilities or convincing users to enter sensitive information, ConsentFix works by manipulating the user into completing an action that looks routine but actually compromises their account security. This is particularly insidious because it exploits the trust users have in familiar workflows and online interactions.
The mechanics of ConsentFix are rooted in habits we’ve all developed online. Clicking through CAPTCHAs, accepting cookie prompts, and pressing keyboard shortcuts to progress a process are all examples of trained reflexes that attackers can exploit. By using this understanding, ConsentFix hijacks the victim’s machine and executes attacker-supplied commands without their knowledge or consent.
The rise of ConsentFix is not an isolated incident. ClickFix, a precursor to this attack, surged in popularity last year and remains active today. However, attackers have evolved the concept to incorporate more sophisticated tactics, making it even more challenging for defenders to detect.
One key aspect of ConsentFix’s success lies in its documentation and dissemination on public cybercrime forums. A detailed walkthrough, complete with working code, infrastructure screenshots, and video tutorials, was posted online by early March 2026. This has effectively lowered the barrier to entry for attackers, making it possible for even novice hackers to execute these attacks.
So, what can you do to reduce your exposure to ConsentFix and similar tactics? Awareness is crucial in this case – pausing to question unusual requests or prompts can short-circuit the entire attack process. However, awareness alone may not be enough, as these attacks are specifically designed to look routine. Defenders also need detection coverage for the traces left behind by these attacks, such as unusual PowerShell activity or new session logins from unexpected locations.
To stay ahead of these threats, consider implementing endpoint and identity monitoring solutions that can surface those signals before they snowball into full account compromise. By acknowledging the evolving nature of cybercrime and staying vigilant, you can mitigate the risk of falling victim to ConsentFix and similar tactics. Remember – a brief lapse in judgment can have devastating consequences, so stay informed, stay alert, and protect your online accounts accordingly.
Source: Bleeping Computer — 2026-07-02