ConsentFix and ClickFix: How Microsoft 365 Accounts Are Hijacked in 3 Seconds

It can begin with anything as simple as clicking a "Sign in" button or dragging a link into your browser. A threat actor can take control of your Microsoft 365 account in three seconds without ever needing your password or getting beyond multi-factor authentication (MFA). Welcome to the world of the most recent advancement in social engineering attacks, ConsentFix and ClickFix.
What Are ClickFix and ConsentFix?
A ClickFix attack is a social engineering tactic that deceives people into executing commands on their computers in order to steal data or install malware. Fake instructions that pretend to correct a mistake or confirm your humanity are frequently used in these attacks. ConsentFix is a dangerous new variation discovered by cybersecurity firm Push Security. Microsoft accounts rather than deceiving you into executing harmful instructions. The Azure account authorization authorization authorization authorization authorization authorization code.
How the ConsentFix Attack Works
When you visit a hacked, trustworthy website that appears highly in Google search results, the attack starts. You're shown a bogus Cloudflare Turnstile CAPTCHA widget that asks for your business email address. You are instructed to click a "Sign in" button if you are on the attacker's target list.
This creates a new tab with an authentic Microsoft Azure login page. You only choose your Microsoft account if you are already logged in; neither a password nor MFA are needed. After that, Microsoft takes you to a localhost site whose URL includes an Azure CLI OAuth authorization code associated with your account.
The phishing process completes when you paste that URL into the malicious page, as instructed. In that moment, you've granted the attacker access to your Microsoft account via Azure CLI. "At this point, the attacker has effective control of the victim's Microsoft account, but without ever needing to phish a password or pass an MFA check," Push Security explains.
The Evolution: ConsentFix v3
Attackers have already refined the tactic. ConsentFix v3 automates the entire process, making it more scalable and dangerous. After using legitimate tenant IDs to confirm Azure presence, it collects personnel information for impersonation. Outlook services and support.
The assault employs Pipedream, a free serverless integration platform, as the automation engine that instantaneously exchanges stolen authorization numbers for refresh tokens. In order to get beyond spam filters, phishing emails are extensively customized and contain dangerous URLs hidden into PDFs uploaded on DocSend. Attackers can access email, files, and other services linked to the compromised account by importing the stolen tokens into Specter Portal.
How to Protect Your Organization
These attacks exploit trust in legitimate Microsoft authentication flows. Traditional security awareness training often fails to flag them because the victim is interacting with real Microsoft pages.
What you can do:
- Monitor for unusual Azure CLI login activity, such as logins from new IP addresses.
- Look for legacy Graph scopes, which attackers intentionally leverage to evade detection.
- Educate your team about legitimate-looking OAuth consent screens and the dangers of pasting localhost URLs into untrusted pages.
- Review conditional access policies to restrict OAuth app consent and Azure CLI usage to authorized devices and locations.
How Bayon Technologies Group Can Help
At Bayon Technologies Group, we assist businesses in guarding off complex identity-based threats such as ConsentFix. Among the services we offer are:
- Identity Threat Assessments: We look for weaknesses in OAuth flows and conditional access controls in your Azure and Microsoft 365 settings.
- Advanced Security Awareness Training: We teach your team to recognize and resist OAuth phishing and social engineering techniques.
- Constant Monitoring: We implement systems to instantly identify anomalous Azure CLI login activity and token misuse.
- Conditional Access Hardening: We assist you in putting restrictions in place that limit the use of Azure CLI and prevent dangerous OAuth consent requests.
Don't let a three-second hijack compromise your organization. Contact Bayon Technologies Group today to secure your Microsoft 365 and Azure environments.
‹ Back


