A new phishing technique called ConsentFix has emerged, targeting Microsoft account users by exploiting the Azure CLI OAuth authentication flow. Discovered by Push Security, this attack is a sophisticated evolution of the earlier ClickFix scam, leveraging social engineering to trick victims into providing OAuth 2.0 authorization codes. Attackers compromise legitimate websites that rank highly in Google search results, presenting visitors with a fake Cloudflare CAPTCHA widget that requests a business email address. If the email matches a target list, the victim is guided through a process that mimics legitimate Microsoft login procedures, ultimately leading them to open a real Microsoft URL and copy a URL containing an OAuth token.
Unlike previous ClickFix attacks that required users to execute malicious commands on their devices, ConsentFix operates entirely within the browser, making it harder for traditional endpoint security tools to detect. By capturing the OAuth token, attackers gain full access to the victim's Microsoft account via the Azure CLI, bypassing both passwords and multi-factor authentication (MFA). This method circumvents email-based anti-phishing controls and highlights the growing sophistication of consent phishing attacks targeting cloud authentication mechanisms.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
By early March 2026, a public Russian cybercrime forum had posted a step-by-step ConsentFix playbook including code, screenshots, and a video walkthrough. The publication lowered the barrier for other criminals to replicate the Microsoft OAuth account hijacking technique.
Following disclosure of ConsentFix, defenders were urged to watch for unusual Azure CLI login activity and use of legacy Microsoft Graph scopes as possible indicators of compromise. This guidance was published alongside the initial reporting on the attack.
On publication of the research, details emerged showing victims are lured to compromised websites, asked for a business email, guided through a legitimate-looking Azure CLI OAuth flow, and then tricked into pasting back a URL containing the authorization code. The reporting also noted the campaign is highly targeted, filters out non-targets, and triggers only once per victim IP.
Researchers at Push Security identified a new phishing variant dubbed ConsentFix that abuses the Azure CLI OAuth application to take over Microsoft accounts without stealing passwords or bypassing MFA directly. The attack relies on social engineering to obtain an OAuth 2.0 authorization code from the victim.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
malwarebytes.com
Open sourcehuntress.com
Open sourcebleepingcomputer.com
Open sourcecsoonline.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.