15. Dezember 2025
A new variation of the ClickFix scam tries to get around phishing defenses by capturing an employee’s OAuth authentication token for Microsoft logins (ConsentFix vulnerability)
Researchers at Push Security this week outlined the tactic, which they call ConsentFix, in a blog, calling it “a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block.”
Generally ClickFix attacks display a fake error or counterfeit CAPTCHA verification to a user to get them to copy, paste and execute malicious commands on their devices.
What’s new in a ConsentFix attack is that the attack happens entirely inside a browser, say the researchers, which removes one of the key detection opportunities because the attack doesn’t touch an endpoint.
How the attack works
The attack starts with a victim coming across a legitimate but compromised website they are looking for in a Google search, which completely circumvents email-based anti-phishing controls. Going to the site triggers a fake Cloudflare CAPTCHA-like verification page asking the victim to enter their business email address to prove they’re human. Doing so makes a Microsoft login page pop up which includes a legitimate URL, based on the victim’s email address, that would contain an OAuth token. The victim is asked to copy and paste that URL into a field, again, to verify they are human. The URL is captured by the threat actor, at which point the victim has granted the attacker access to their Microsoft account via Azure’s command line interface, say the researchers.
“At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA (multifactor authentication) check,” says Push Security. “In fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all.”
