ConsentFix and ClickFix: How your Microsoft 365 account can be hijacked in 3 seconds

7 Min Read
7 Min Read

It begins with one thing as mundane as dragging a hyperlink into your browser. Three seconds later, the attacker has the tokens he must take over your Microsoft 365 account, and he is performed nothing that conventional safety consciousness coaching would inform you to do. I simply adopted the standard set of directions.

That’s the defining function of recent cybercrime. It does not pressure its approach in. It sneaks silently into the center of your each day workflow, turning on a regular basis actions into moments when all the pieces goes mistaken.

Why do these assaults proceed to work?

These assaults work due to the habits all of us have developed on-line. Click on the CAPTCHA, settle for the cookie immediate, and press the important thing mixture to proceed with the method. These skilled reflexes are what attackers are relying on.

That is the core mechanism behind the ClickFix assault. Victims are introduced with a pretend immediate to press a sequence of keyboard shortcuts to stick and execute instructions specified by the attacker on their machine. There are not any exploitable vulnerabilities and no conflicts with firewalls. It was only a convincing lie inserted on the proper time.

See also  Google Chrome adds session cookie theft protection for all users

ClickFix proliferated in 2025 and remains to be lively right now, however attackers have already developed the idea into one thing extra subtle.

Determine 1 beneath exhibits a pretend ClickFix-style validation immediate.

Figure 1: In the ClickFix attack, the victim follows a fake verification step that ultimately triggers malicious code on their machine.
Determine 1: Within the ClickFix assault, the sufferer follows a pretend verification step that in the end triggers malicious code on their machine.

Hacker tradecraft is evolving day-after-day, so try Tradecraft Tuesday to study extra!

Be a part of us each month for a more in-depth take a look at the tradecraft of attackers. It has nothing to do with gross sales or merchandise. Join the sequence now or watch earlier episodes. There are not any tips, simply tradecraft.

Register for Tradecraft Tuesdays

New assault variant concentrating on Microsoft 365 classes

The brand new variant, ConsentFix, strikes the assault floor to the Microsoft 365 OAuth consent stream. The sign-in immediate is one thing we have realized to permit customers to simply get previous it with out a lot scrutiny.

The setup appears clear. Phishing lures are sometimes delivered via trusted platforms like Dropbox or DocSend, and are generally behind passwords which can be tough to examine by safety instruments.

As soon as the sufferer clicks via, they’re introduced with a display that appears like an ordinary Microsoft authentication display and requested to tug a localhost callback hyperlink into their browser to finish the method.

See also  Windows 11 KB5095093 update rolls out new point-in-time restore functionality

This drag and drop process is a lure. Reasonably than finishing an innocuous authentication step, the person unknowingly relinquishes the OAuth token, handing session entry to electronic mail and different Microsoft 365 providers to an attacker and not using a password or MFA bypass.

The sufferer didn’t enter any credentials into the pretend kind. They’ve accomplished what seems to be a reputable authentication stream, and the session itself is stolen.

Determine 2 beneath exhibits how ConsentFix turns what appears like a standard Microsoft 365 sign-in step into session theft.

Figure 2: ConsentFix hijacks the Microsoft 365 sign-in flow by turning familiar user actions into stolen session access.
Determine 2: ConsentFix hijacks the Microsoft 365 sign-in stream by turning acquainted person actions into stolen session entry.

Criminals brazenly share blueprints

By early March 2026, detailed ConsentFix tutorials had been posted on public Russian cybercrime boards. This included working code, screenshots of the infrastructure, and a video tutorial exhibiting precisely learn how to construct and deploy the assault.

This infrastructure depends on free or broadly out there providers, and the put up additionally outlined how attackers can use LinkedIn and comparable instruments to map organizations and tailor lures to actual individuals earlier than sending a single phishing message.

What was as soon as a method that required significant technical expertise is now packaged with documentation and step-by-step steerage. Obstacles to entry proceed to fall.

The right way to scale back publicity

Consciousness nonetheless has a job. These assaults depend on customers working acquainted workflows with out pausing. Merely asking why an internet site forces you to press a hotkey or drag an odd hyperlink into your browser typically does not inform you all the pieces.

See also  Trend Micro warns of Apex One zero-day exploit

Nevertheless, these assaults are particularly designed to happen each day, so consciousness alone can not shut the hole. Defenders additionally want detection protection for traces left behind, corresponding to anomalous PowerShell exercise originating from regular person processes or new session logins from surprising areas.

Endpoint and id monitoring can floor these alerts earlier than a momentary lapse in judgment snowballs into an account-wide compromise.

The attacker’s job is to interrupt the traditional workflow on the proper time and let the sufferer do the remainder. Understanding the sample is step one to stopping it.

Tradecraft Tuesday: No merchandise. There isn’t a pitch. Only a hack.

Tradecraft Tuesday offers cybersecurity professionals with in-depth evaluation of the newest menace actors, assault vectors, and mitigation methods. Every weekly session options technical walkthroughs of latest incidents, a complete breakdown of malware traits, and the newest indicators of compromise (IOCs).

What contributors will get:

  • Detailed clarification of latest menace campaigns and ransomware variants
  • Proof-based protection methodologies and remediation strategies
  • Direct interplay with Huntress analysts for incident response insights
  • Entry actionable menace intelligence and detection steerage

Register for Tradecraft Tuesday →

Strengthen your protection posture with real-time intelligence and technical schooling designed particularly for these chargeable for defending your group’s surroundings.

Sponsored and written by Huntress Labs.

TAGGED:
Share This Article
Leave a comment