// NEXUSVOID CYBER NEWS

<- ALL CYBER NEWS

Notable

Microsoft 365, OAuth, ConsentFix, ClickFix, MFA bypass, phishing, identity

ConsentFix and ClickFix: Microsoft 365 Accounts Hijacked in Seconds via OAuth Abuse

New ConsentFix and ClickFix attacks steal Microsoft 365 session tokens in seconds using fake prompts and malicious OAuth consent flows — bypassing MFA entirely, because they steal the token that comes after authentication.

What happened. Two related techniques — ConsentFix and ClickFix — are being used to hijack Microsoft 365 accounts in seconds. They combine fake prompts (ClickFix's socially-engineered “paste this to fix the problem” pattern) with malicious OAuth consent flows (ConsentFix) to capture M365 session tokens. Because they steal the token issued after login, they sail straight past multi-factor authentication.

Who's affected. Any organization on Microsoft 365 — which is to say, most. The attack targets users, not a software flaw, so no patch closes it; the defense is configuration and awareness.

What to do now. Restrict third-party OAuth app consent to admin approval so users can't grant access to malicious apps. Enforce conditional access and token-binding policies, and educate staff that no legitimate fix ever asks them to paste a command or approve an unexpected app-permission prompt. Audit existing OAuth grants for anything unfamiliar.

Our read. MFA bypass via token theft is the defining identity threat of this era, and it exposes a blind spot: most organizations have never tested whether their own M365 tenant would actually stop a ConsentFix-style consent grant, or whether a stolen token would be detected in use. “We have MFA” is a control on paper; whether it holds against this specific technique is a question only simulation answers. Adversary simulation that includes identity and OAuth attack paths — not just network exploits — is how you find out your MFA has a token-shaped hole before an attacker walks through it.

Reporting by BleepingComputer, linked above.

Liked this briefing? Share it:

More briefings

Related posts appear on the live page
Get the briefings first
Breaking security news, verified fast, with the one fact the headlines skip. No spam - unsubscribe anytime.