ConsentFix: The Evolving Threat Hijacking Microsoft 365 Sessions Through Deceptive Flows
A new attack variant, **ConsentFix**, is leveraging familiar user workflows to compromise **Microsoft 365** accounts. Building on the **ClickFix** technique, **ConsentFix** tricks users into unknowingly surrendering OAuth tokens, bypassing traditional security measures and granting attackers full session access.
It can start with something as mundane as dragging a link into your browser. Three seconds later, a threat actor has the tokens needed to take over your **Microsoft 365** account, and you never did anything that traditional security awareness training would flag. You just followed what looked like a normal set of instructions.
That's the defining characteristic of modern cybercrime: it doesn't force its way in. It steps quietly into the middle of an everyday workflow and turns a routine action into the moment everything goes wrong.
## Why These Attacks Keep Working
These attacks work because of habits we've all built up online. Clicking through CAPTCHAs, accepting cookie prompts, pressing a key combination to move a process along. That trained reflexiveness is exactly what attackers are counting on.
It's the core mechanic behind **ClickFix** attacks. Victims are shown a fake prompt instructing them to press a sequence of keyboard shortcuts, which pastes and executes attacker-supplied commands on their own machine. Thereβs no vulnerability to exploit and no firewall confrontation. Just a convincing lie inserted at the right moment.
**ClickFix** surged in 2025 and remains active, but attackers have already evolved the concept into something more sophisticated.
Figure 1 below shows the **ClickFix**-style fake verification prompt.

## A New Attack Variant Targeting Microsoft 365 Sessions
The newer variant, **ConsentFix**, shifts the attack surface to **Microsoft 365**'s OAuth consent flows, the sign-in prompts that users have learned to breeze through without much scrutiny.
The setup is deceptively clean. A phishing lure arrives, often delivered through trusted platforms like **Dropbox** or **DocSend**, sometimes behind a password that also makes it harder for security tooling to inspect.
The victim clicks through, encounters what looks like a standard **Microsoft** authentication screen, and is asked to complete the process by dragging a localhost callback link into the browser.
That drag-and-drop step is the trap. Rather than finishing a harmless authentication step, the user unknowingly surrenders OAuth tokens, handing the attacker session access to email and other **Microsoft 365** services without a password and MFA bypass.
The victim isn't typing credentials into a fake form. They're completing what appears to be a legitimate authentication flow, and the session itself is what gets stolen.
Figure 2 below shows how **ConsentFix** turns what looks like a normal **Microsoft 365** sign-in step into session theft.

## Criminals Are Sharing the Blueprint Openly
By early March 2026, a detailed walkthrough of **ConsentFix** had been posted to a public Russian cybercrime forum. It included working code, infrastructure screenshots, and a video tutorial showing exactly how to build and deploy the attack.
The infrastructure leaned on free or widely available services, and the post also outlined how attackers profile targets before sending a single phishing message, using **LinkedIn** and similar tools to map organizations and tailor lures to real people.
What was once a technique requiring meaningful technical skill now comes packaged with documentation and step-by-step guidance. The barrier to entry keeps dropping.
## How to Reduce Your Exposure
Awareness still has a role. These attacks depend on people moving through familiar workflows without pausing. Asking why a website wants you to press hotkeys or drag a strange link into a browser is often enough to short-circuit the whole thing.
But awareness alone won't close the gap, because these attacks are specifically engineered to look routine. Defenders also need detection coverage for the traces they leave behind: unusual PowerShell activity originating from normal user processes, or new session logins from unexpected locations.
Endpoint and identity monitoring can surface those signals before a brief lapse in judgment snowballs into a full account compromise.
The attacker's job is to interrupt a normal workflow at exactly the right moment and let the victim do the rest. Understanding that pattern is the first step toward stopping it.