A new phishing technique called ConsentFix has emerged, targeting Microsoft Entra ID by abusing legitimate OAuth 2.0 authorization flows. Attackers craft malicious login URLs and use social engineering tactics—such as fake CAPTCHAs or error messages—to trick users into providing OAuth authorization codes. These codes are then exchanged for access and refresh tokens, granting attackers programmatic access to Microsoft accounts and cloud resources, all without stealing credentials or triggering multi-factor authentication (MFA) prompts. The attack is an evolution of previous consent phishing and ClickFix-style methods, with recent variants making the process even easier for victims through drag-and-drop functionality.
ConsentFix is particularly dangerous because it bypasses Conditional Access policies and device compliance requirements, undermining otherwise robust security frameworks. Detection and response require visibility into identity, SaaS, and cloud activity, as traditional prevention mechanisms are ineffective. Security teams are advised to monitor Azure sign-in logs for unusual authentication events and to educate users about the risks of interacting with suspicious login flows or error messages that request manual actions like copying and pasting URLs. The attack highlights the ongoing evolution of phishing tactics targeting cloud authentication systems and the need for advanced monitoring and user awareness.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Mitiga published a technical blog explaining how ConsentFix uses token- and authorization code-based phishing against Microsoft Entra ID to bypass MFA and Conditional Access protections. The publication further elevated awareness of the attack and its mechanics.
Researchers published guidance for detecting ConsentFix in Azure sign-in logs by correlating an interactive victim sign-in with a non-interactive attacker sign-in sharing session identifiers within a short time window. They also advised defenders to compare IP addresses and correlate SessionIDs, ApplicationIDs, and UserIDs while accounting for legitimate automation scenarios.
Security researchers documented a new OAuth-based attack dubbed ConsentFix that targets Microsoft Entra by abusing legitimate authentication flows to steal authorization codes. The technique was described as an evolution of ClickFix and was said to target Microsoft applications including Azure CLI and Azure Resource Manager.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.