ConsentFix Attack: New Phishing Bypasses MFA to Hijack Microsoft Accounts via OAuth Code

A new technique dubbed “ConsentFix” expands upon the already known ClickFix social engineering attack, enabling the hijacking of Microsoft accounts without passwords or multi-factor authentication. To achieve this, attackers exploit the legitimate Azure CLI application and nuances of OAuth authorization, effectively turning a standard sign-in flow into an account takeover mechanism.

ClickFix relies on presenting users with pseudo-system instructions that prompt them to run commands or complete seemingly benign steps, ostensibly to resolve an error or verify their “humanity.” The ConsentFix variant, documented by the Push Security team, preserves the overall deception but abandons malware installation in favor of stealing an OAuth 2.0 authorization code, which is then used to obtain an Azure CLI access token.

The attack begins when a victim lands on a compromised yet legitimate website that ranks well in Google search results for relevant queries. The page displays a fake Cloudflare Turnstile widget requesting a work email address. The attackers’ script validates the submitted address against a precompiled target list and filters out bots, analysts, and incidental visitors. Only selected victims are presented with the next stage, styled to resemble a typical ClickFix workflow with ostensibly harmless verification steps.

Victims are instructed to click a sign-in button, which opens a genuine Microsoft domain in a separate tab. However, instead of the standard login page, they are shown an Azure authorization screen that generates an OAuth code specifically for Azure CLI. If an active Microsoft session exists, the user merely selects their account; otherwise, a normal login via the legitimate form occurs.

After successful authentication, the browser is redirected to localhost, and the address bar displays a URL containing the Azure CLI authorization code tied to the account. The final act of deception involves instructing the victim to paste this URL back into the malicious page. At that moment, the attacker can exchange the code for an access token and control the account via Azure CLI—without ever knowing the password or triggering multi-factor authentication. If a session is already active, no explicit login is required at all. To reduce the risk of exposure, the scenario is executed only once per IP address.

Push Security advises defensive teams to monitor anomalous Azure CLI activity, including logins from unfamiliar IP addresses, and to scrutinize the use of legacy Graph permissions, which this technique leverages to evade standard detection controls.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy