Microsoft 365 Accounts Hijacked in 3 Seconds: The Stealthy Threat of ConsentFix and ClickFix Attacks
In a chilling example of modern cybercrime, threat actors are exploiting everyday online habits to hijack Microsoft 365 accounts in just three seconds. This brazen tactic involves manipulating users into surrendering OAuth tokens, granting attackers session access to email and other services without even needing a password or multi-factor authentication (MFA) bypass.
The attack mechanics are deceptively simple. ClickFix attacks rely on victims’ reflexive behavior when clicking through CAPTCHAs, accepting cookie prompts, or pressing keyboard shortcuts. This trained response is exploited by attackers who insert fake prompts instructing users to perform these actions, which ultimately paste and execute malicious commands on the victim’s machine.
ClickFix has been surging since 2025 and remains active, but attackers have evolved the concept into a more sophisticated variant known as ConsentFix. This new tactic targets Microsoft 365’s OAuth consent flows, the sign-in prompts that users often breeze through without scrutiny.
A phishing lure typically arrives via trusted platforms like Dropbox or DocSend, sometimes behind a password that hinders security tooling from inspecting it. The victim clicks through and encounters what appears to be a standard Microsoft authentication screen, only to be asked to complete the process by dragging a localhost callback link into the browser. This seemingly harmless step surrenders OAuth tokens, handing the attacker session access to email and other services.
The infrastructure behind these attacks leans on free or widely available services, making it accessible to even novice threat actors. By early March 2026, a detailed walkthrough of ConsentFix had been posted to a public Russian cybercrime forum, complete with working code, infrastructure screenshots, and a video tutorial showing exactly how to build and deploy the attack.
To mitigate these risks, awareness still plays a crucial role in short-circuiting these attacks. Asking why a website wants you to press hotkeys or drag a strange link into a browser is often enough to thwart the entire operation. However, defenders also need detection coverage for the traces left behind by these attacks, such as unusual PowerShell activity originating from normal user processes or new session logins from unexpected locations.
Endpoint and identity monitoring can surface those signals before a brief lapse in judgment snowballs into a full account compromise. While awareness alone won’t close the gap, it’s essential to combine vigilance with robust detection capabilities to stay ahead of these stealthy threats.
In the face of evolving cybercrime tactics, defenders must adapt to detect and respond to these subtle manipulations. By staying informed about the latest threat landscape and implementing effective monitoring and detection strategies, organizations can reduce their exposure to ConsentFix and ClickFix attacks and protect themselves against these brazen online exploits.
Source: Bleeping Computer — 2026-07-02