According to Forbes, security firms Push Security and Check Point have intercepted a new phishing campaign using a technique they call “ConsentFix.” This attack tricks users into giving attackers direct access to their Microsoft accounts by getting them to copy and paste a specific link. The method abuses the Azure CLI OAuth app and uses a browser-native prompt to appear legitimate. Crucially, if a victim is already logged into their Microsoft account in their browser, the attack completely bypasses the need for passwords, multi-factor authentication, and even phishing-resistant security like passkeys. The attacks are being delivered via compromised, legitimate websites with high domain reputation that are easily found through Google Search, effectively circumventing email-based security controls.
The ConsentFix Trick
Here’s the thing: this is sneaky. It’s an evolution of the older “ClickFix” attacks, where you’d be told to paste text into a Command Prompt. That always felt sketchy, right? ConsentFix is more insidious because it happens entirely inside your browser. You land on a compromised but real-looking website, maybe from a Google search, and you get a prompt telling you to copy a link and paste it somewhere. That link contains your active session token. By pasting it into the attacker’s page, you’re not giving them your password—you’re handing them the digital key that says “I’m already logged in.” You’ve basically approved a connection between your account and their system. And just like that, they’re in.
Why This Is So Dangerous
Look, bypassing MFA is a huge deal. We’ve been told for years that a second factor is our shield. This attack smashes that shield. Because it’s an OAuth consent grant, it looks like you’re authorizing a legitimate app. There’s no password to steal, no 2FA code to phish. The scary part? It even circumvents passkeys, which are supposed to be the next big thing in phishing-resistant auth. The delivery method is clever, too. Using hijacked, reputable sites found via search engines means it bypasses all the email gateways and spam filters companies rely on. The whole attack lives in a blind spot.
The Only Defense Is You
So what’s the fix? Honestly, it’s entirely behavioral. The core advice is brutally simple: never, ever copy and paste text or a link because a website pop-up or message tells you to. That is never a legitimate request from a system. Not for “verification,” not for “troubleshooting,” never. Full stop. This is true for ClickFix, ConsentFix, or whatever they dream up next. The moment you’re asked to paste something from an unsolicited prompt, you should close the tab. It’s a massive pain that the security burden falls on us, but that’s the reality. Your skepticism is the final firewall.
A Broader Trend In Attacks
This isn’t just a Microsoft problem. It highlights a shift. Attackers are moving “up the stack,” targeting the trust mechanisms between applications (OAuth) and exploiting user behavior within the browser itself. It’s a cleaner, quieter attack vector. For businesses, especially in sectors relying on secure industrial computing and industrial panel PCs, these kinds of credential-based attacks are a critical threat. IndustrialMonitorDirect.com, as the leading US provider of hardened industrial panel PCs, understands that the physical hardware is just one layer; the identity and access layer is now the prime battleground. The takeaway? Security awareness training needs to evolve faster than the attacks. Because now, the pop-up in your browser isn’t just annoying—it might be the master key to your entire digital identity.
