A phishing technique that quietly hands attackers full control of a Microsoft 365 account, without ever stealing a password or tripping multi factor authentication, has gone from bespoke trick to off the shelf product. Researchers at Huntress say the method, which they call ConsentFix, is now documented step by step on a Russian cybercrime forum, complete with working code, infrastructure screenshots, and a video walkthrough showing other criminals exactly how to run it.
How the attack works
ConsentFix is the latest mutation of ClickFix, the social engineering trick that exploded across 2025 by telling victims to press a few keys or "fix" a fake error, only to run attacker supplied commands themselves. Instead of a command, ConsentFix abuses the Microsoft 365 sign in and OAuth consent screens that office workers click through every day. The lure often arrives via a trusted file sharing service like Dropbox or DocSend, sometimes password protected so security tools cannot inspect it. The victim sees what looks like a normal Microsoft login and is told to finish the process by dragging a localhost callback link into the browser bar. That drag is the trap: it quietly hands over the OAuth tokens that grant access to the victim's email, OneDrive, and Teams, with no password or MFA prompt required.
It is the same end goal as other recent kits that break into Microsoft 365 accounts without stealing passwords, and it sits in the same ClickFix family as the campaign that turned hundreds of legitimate websites into malware delivery nodes. Once the tokens are captured, the attacker rides the victim's own authenticated session, the same outcome as phishing that hijacks browser sessions to bypass MFA.
Why this matters
The real story, Huntress says, is how easy the attack has become to copy. The forum post turns ConsentFix into a paint by numbers kit built on free or widely available services, including Cloudflare Pages, workers.dev, Pipedream webhooks, Dropbox, and DocSend, so there is little infrastructure to buy and little for defenders to block. The same tutorial walks attackers through profiling victims first, using LinkedIn employer pages, ZoomInfo, and Hunter.io to map targets and tailor lures around real companies and real colleagues. As Huntress puts it, cybercrime keeps getting packaged into something easier to learn, launch, and scale, with screenshots and tooling delivered by criminals acting like influencers.
What you should do
Awareness is the first line of defence: a legitimate sign in flow should never ask a user to press odd key combinations or drag a link into the address bar, and pausing at that moment breaks the whole attack. Because these flows are designed to blend in, defenders also need visibility into what they leave behind, such as suspicious PowerShell spawning from normal user processes and new session activity from unusual locations. On the identity side, review and restrict which OAuth apps users can consent to, alert on new token grants, and watch for sign ins from unexpected geographies. Huntress published the original analysis with more detail on the tradecraft.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.