logo

ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds

ID: e59c554e-a9ad-55b5-a3a0-2b0a33dcec47

STIX ID: report--e59c554e-a9ad-55b5-a3a0-2b0a33dcec47

Feed Name: Bleeping Computer

Threat Score
75/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Sponsored by Huntress Labs

...
...

This Huntress Labs Tradecraft Tuesday briefing describes ClickFix-style social-engineering attacks and a newer ConsentFix variant that hijacks Microsoft 365 OAuth consent flows by tricking users into dragging local callback links or executing pasted commands, resulting in token/session theft and account takeover; the technique surged in 2025, has working code published on a Russian cybercrime forum, and defenders are advised to combine user awareness with endpoint and identity monitoring to detect unusual PowerShell activity and anomalous session logins.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.