It begins with one thing as mundane as dragging a hyperlink into your browser. Three seconds later, the attacker has the tokens he must take over your Microsoft 365 account, and he is performed nothing that conventional safety consciousness coaching would inform you to do. I simply adopted the standard set of directions.
That’s the defining function of recent cybercrime. It does not pressure its approach in. It sneaks silently into the center of your each day workflow, turning on a regular basis actions into moments when all the pieces goes mistaken.
Why do these assaults proceed to work?
These assaults work due to the habits all of us have developed on-line. Click on the CAPTCHA, settle for the cookie immediate, and press the important thing mixture to proceed with the method. These skilled reflexes are what attackers are relying on.
That is the core mechanism behind the ClickFix assault. Victims are introduced with a pretend immediate to press a sequence of keyboard shortcuts to stick and execute instructions specified by the attacker on their machine. There are not any exploitable vulnerabilities and no conflicts with firewalls. It was only a convincing lie inserted on the proper time.
ClickFix proliferated in 2025 and remains to be lively right now, however attackers have already developed the idea into one thing extra subtle.
Determine 1 beneath exhibits a pretend ClickFix-style validation immediate.

Hacker tradecraft is evolving day-after-day, so try Tradecraft Tuesday to study extra!
Be a part of us each month for a more in-depth take a look at the tradecraft of attackers. It has nothing to do with gross sales or merchandise. Join the sequence now or watch earlier episodes. There are not any tips, simply tradecraft.
Register for Tradecraft Tuesdays
New assault variant concentrating on Microsoft 365 classes
The brand new variant, ConsentFix, strikes the assault floor to the Microsoft 365 OAuth consent stream. The sign-in immediate is one thing we have realized to permit customers to simply get previous it with out a lot scrutiny.
The setup appears clear. Phishing lures are sometimes delivered via trusted platforms like Dropbox or DocSend, and are generally behind passwords which can be tough to examine by safety instruments.
As soon as the sufferer clicks via, they’re introduced with a display that appears like an ordinary Microsoft authentication display and requested to tug a localhost callback hyperlink into their browser to finish the method.
This drag and drop process is a lure. Reasonably than finishing an innocuous authentication step, the person unknowingly relinquishes the OAuth token, handing session entry to electronic mail and different Microsoft 365 providers to an attacker and not using a password or MFA bypass.
The sufferer didn’t enter any credentials into the pretend kind. They’ve accomplished what seems to be a reputable authentication stream, and the session itself is stolen.
Determine 2 beneath exhibits how ConsentFix turns what appears like a standard Microsoft 365 sign-in step into session theft.

Criminals brazenly share blueprints
By early March 2026, detailed ConsentFix tutorials had been posted on public Russian cybercrime boards. This included working code, screenshots of the infrastructure, and a video tutorial exhibiting precisely learn how to construct and deploy the assault.
This infrastructure depends on free or broadly out there providers, and the put up additionally outlined how attackers can use LinkedIn and comparable instruments to map organizations and tailor lures to actual individuals earlier than sending a single phishing message.
What was as soon as a method that required significant technical expertise is now packaged with documentation and step-by-step steerage. Obstacles to entry proceed to fall.
The right way to scale back publicity
Consciousness nonetheless has a job. These assaults depend on customers working acquainted workflows with out pausing. Merely asking why an internet site forces you to press a hotkey or drag an odd hyperlink into your browser typically does not inform you all the pieces.
Nevertheless, these assaults are particularly designed to happen each day, so consciousness alone can not shut the hole. Defenders additionally want detection protection for traces left behind, corresponding to anomalous PowerShell exercise originating from regular person processes or new session logins from surprising areas.
Endpoint and id monitoring can floor these alerts earlier than a momentary lapse in judgment snowballs into an account-wide compromise.
The attacker’s job is to interrupt the traditional workflow on the proper time and let the sufferer do the remainder. Understanding the sample is step one to stopping it.
Tradecraft Tuesday: No merchandise. There isn’t a pitch. Only a hack.
Tradecraft Tuesday offers cybersecurity professionals with in-depth evaluation of the newest menace actors, assault vectors, and mitigation methods. Every weekly session options technical walkthroughs of latest incidents, a complete breakdown of malware traits, and the newest indicators of compromise (IOCs).
What contributors will get:
- Detailed clarification of latest menace campaigns and ransomware variants
- Proof-based protection methodologies and remediation strategies
- Direct interplay with Huntress analysts for incident response insights
- Entry actionable menace intelligence and detection steerage
Register for Tradecraft Tuesday →
Strengthen your protection posture with real-time intelligence and technical schooling designed particularly for these chargeable for defending your group’s surroundings.
Sponsored and written by Huntress Labs.
