ConsentFix and ClickFix: Rapid Hijacking of Microsoft 365 Accounts

ConsentFix and ClickFix: Rapid Hijacking of Microsoft 365 Accounts

First seen 5 Jul 2026, 00:19 UTC BleepingcomputerOodaloop 97% similarity 64.5

Article Content

Browse articles
ThreatCluster

Cybercriminals are exploiting two attack methods, ConsentFix and ClickFix, to hijack Microsoft 365 accounts in as little as three seconds. These attacks leverage users' habitual online behaviors, such as dragging links into browsers and completing OAuth consent flows without scrutiny. The ClickFix method involves fake prompts that execute attacker commands through keyboard shortcuts, while ConsentFix targets OAuth consent screens, tricking users into surrendering OAuth tokens. Victims unknowingly grant session access to their accounts without entering credentials. The attacks have surged since 2025, with attackers utilizing free services for phishing lures and profiling targets before launching their attacks. Awareness and training remain critical, as these techniques exploit familiar workflows.

Key Points: • ConsentFix and ClickFix attacks can hijack Microsoft 365 accounts in seconds. • Attackers exploit user habits by inserting fake prompts into normal workflows. • The techniques have evolved, requiring minimal technical skill to execute.

ThreatCluster AI

Timeline

2025-01-01
ClickFix technique gains traction
The ClickFix attack method begins to see increased usage, leveraging fake prompts to hijack accounts.
BleepingComputer
2025-06-01
ConsentFix variant emerges
The ConsentFix attack method is introduced, shifting focus to OAuth consent flows for account hijacking.
BleepingComputer
2026-07-02
BleepingComputer article published
An article details the mechanics of ConsentFix and ClickFix attacks, highlighting their rapid execution.
BleepingComputer
2026-07-04
Oodaloop article published
Oodaloop publishes a similar article, reiterating the methods and implications of the ConsentFix and ClickFix attacks.
Oodaloop

Community

Browse all →