ConsentFix is a browser-native OAuth phishing technique that hijacks legitimate Microsoft first-party sign-in flows to steal authorization codes and tokens, enabling stealthy account takeover and persistent cloud access without capturing passwords or triggering MFA.

CYBER INSIGHTS CYBER INSIGHTS JAN 23, 2026 JAN 23, 2026

Overview

ConsentFix is a newly observed, browser-native OAuth phishing technique that compromises Microsoft accounts without stealing passwords. Victims are lured to a malicious or compromised website that uses ClickFix-style prompts to trick them into completing a legitimate Microsoft sign-in for a trusted first-party app, then copying and pasting a localhost redirect URL containing an OAuth authorization code back to the attacker’s page. That single copy/paste step gives the attacker what they need to complete the OAuth handshake on their own device and obtain tokens, enabling account takeover. Because it abuses the authorization flow rather than credentials, it can bypass MFA and even phishing-resistant sign-in methods when the user is already logged into Microsoft in their browser. The campaign has been observed at scale across many compromised, high-reputation sites discovered through search results, and it uses selective targeting and anti-analysis checks to evade automated scanning and frustrate investigation. The net effect is a low-friction, hard-to-detect path to cloud access that can blend into normal login activity while enabling follow-on actions across Microsoft services.

Key Findings:

  • ConsentFix enables Microsoft account takeover without stealing passwords or defeating MFA, by hijacking the OAuth authorization process and abusing legitimate sign-in flows for trusted first-party Microsoft applications. This breaks the assumption that MFA or phishing-resistant authentication alone prevents account compromise.
  • The attack operates entirely inside the browser and identity layer, using compromised high-reputation websites and ClickFix-style prompts to socially engineer users into handing over OAuth authorization codes, leaving no malware, payloads, or obvious endpoint indicators.
  • Targeting first-party Microsoft applications is central to the technique, as these apps are pre-consented, broadly trusted, and often excluded from restrictive Conditional Access policies, allowing attackers to obtain powerful access tokens that blend into normal activity.
  • State-aligned threat actors, assessed to include APT29, are actively using or evolving this technique, and rapid community replication shows it is likely to spread to financially motivated groups and access brokers in the near term.
  • Successful ConsentFix compromise can lead to persistent, low-visibility cloud access, including access to administrative tooling, collaboration platforms, and sensitive data, with token-based persistence that survives password resets.
  • Immediate Actions: Reduce exposure to high-risk first-party OAuth apps by explicitly limiting which users can authenticate to applications such as Azure CLI, PowerShell, and other cloud administration tools. Separate privileged cloud access from routine web browsing, minimizing scenarios in which an existing browser session can be hijacked into an account takeover through a single deceptive interaction.

1.0 Threat Overview

OAuth abuse is not new, but the mechanics and feasibility of “real-world” compromise have shifted as enterprise cloud platforms tightened controls around third-party app consent, risky permission grants, and tenant-wide app governance. Earlier waves of OAuth-focused attacks typically relied on consent phishing, where users were tricked into authorizing attacker-controlled applications to access mail, files, or directory data, or device code phishing, where victims entered a code into a legitimate login page to complete an attacker-initiated sign-in. Those methods remained effective because they exploited user trust in legitimate login pages, but defenders increasingly responded with stricter tenant consent policies, improved app-review workflows, and stronger defaults that reduce the ease with which unknown apps can gain privileges. As these controls became more common, the operational cost of OAuth phishing rose, pushing capable actors to look for pathways that still work even in well-governed tenants.

ConsentFix reflects that next step: rather than asking a user to approve a suspicious third-party app, it leverages trusted first-party Microsoft applications that are widely available and often pre-consented across tenants, thereby removing the friction points that defenders increasingly rely on. The attack also borrows from ClickFix-style lures, using “human verification” prompts and copy-and-paste instructions to guide victims through steps that feel routine and harmless, especially when the login experience looks fully legitimate. This browser-native approach reduces the number of traditional detection opportunities by avoiding payload delivery and credential prompts on the phishing page itself, and by delivering content through compromised websites surfaced via search results instead of email. The technique’s rapid evolution and community replication in late 2025 demonstrated how quickly it can be refined for usability, increasing the likelihood of broader adoption beyond the initial, more selective campaigns. In effect, ConsentFix shows how identity compromise can succeed even when organizations believe they have “phishing-resistant” protections in place, because the attacker is hijacking the authorization process rather than stealing the authentication factor.

1.1 Technique Breakdown

ConsentFix is a multi-stage, browser-native attack that carefully blends social engineering with legitimate OAuth authentication flows to achieve account takeover without ever capturing credentials. Unlike traditional phishing, the attacker does not impersonate a login page or ask for passwords; instead, they guide the victim through actions that appear routine and trustworthy, exploiting how OAuth authorization codes are generated and exchanged by first-party Microsoft applications. The technique is designed to stay entirely within the browser and identity layer, avoiding endpoint artifacts and minimizing the effectiveness of many standard security controls. This technique is particularly dangerous because it reframes the user as an active participant in the compromise while keeping all authentication steps legitimate. The attacker never “breaks” authentication—instead, they redirect it—making ConsentFix difficult to detect, explain to users, and defend against using traditional phishing or endpoint-focused controls.

ConsentFix Attack Technique - Detailed Breakdown
1
Initial Access Through Trusted Web Content
Step Description
Victims are directed to a malicious or attacker-injected page hosted on a legitimate, high-reputation website, often discovered via search results. This avoids email-based phishing detection and leverages normal browsing behavior.
Legitimate Website High-Reputation Attacker-Injected Page Search Results Avoids Email Security Normal Browsing
2
Conditional Targeting and Anti-Analysis Gating
Step Description
The malicious page validates the visitor's email domain and other signals before activating the attack. Non-targeted users, security scanners, and researchers are redirected to benign content, reducing early discovery and investigation.
Domain Validation Signal Analysis Conditional Activation Scanner Evasion Benign Redirects Reduced Discovery
3
ClickFix-Style Interaction Prompt
Step Description
The page presents a familiar "verification" or "human check" workflow that guides the user through simple steps, such as clicking a button and copying/pasting content, framing the action as a routine requirement to continue.
ClickFix Technique Verification Prompt Human Check Simple Steps Copy-Paste Workflow Routine Framing
4
Redirection to Legitimate Microsoft Sign-In Flow
Step Description
Clicking "Sign In" opens a real Microsoft authentication page for a trusted first-party application (for example, a command-line or management tool). If the user already has an active Microsoft session, they may not be prompted for credentials at all.
Real Microsoft Page First-Party App Command-Line Tools Active Session No Credential Prompt
5
Generation of Localhost Redirect with OAuth Material
Step Description
After account selection or login, Microsoft redirects the browser to a localhost URL that contains an OAuth authorization code associated with the user's account and the targeted application.
Localhost Redirect Authorization Code Account Association Application Binding
6
User-Assisted Transfer of Authorization Code
Step Description
The phishing page instructs the victim to copy and paste this localhost URL back into the page. This step hands the attacker the authorization code needed to complete the OAuth process.
Copy-Paste Instruction Localhost URL Transfer Authorization Code Transfer Victim-Assisted
7
Completion of OAuth Handshake by Attacker
Step Description
Using the captured authorization code, the attacker completes the sign-in flow on their own device, exchanging the code for access tokens and potentially refresh tokens tied to the victim's account.
Code Exchange Access Tokens Refresh Tokens Attacker Device Account Binding
8
Bypass of Identity-Layer Defenses
Step Description
Because the attack leverages legitimate sign-in infrastructure and existing sessions, it bypasses passwords, MFA challenges, and even phishing-resistant authentication methods such as passkeys.
Legitimate Infrastructure Existing Sessions Bypasses Passwords Bypasses MFA Bypasses Passkeys Phishing-Resistant Bypass
9
Stealthy Post-Compromise Access
Step Description
The resulting token-based access allows the attacker to interact with Microsoft services in ways that resemble normal user activity, often with limited logging or visibility depending on scopes and tenant configuration.
Token-Based Access Normal User Activity Limited Logging Reduced Visibility Microsoft Services

1.2 Affected Systems

ConsentFix does not target a specific vulnerability in software; instead, it exploits how OAuth authorization is handled across widely used Microsoft identity and productivity services. As a result, the affected “systems” are best understood as identity surfaces, applications, and user populations rather than a single product version. Any organization using Microsoft Entra ID (Azure AD) with standard browser-based access is potentially exposed, particularly where first-party applications and legacy scopes are broadly available.

System Exposure Levels - ConsentFix Attack
Key Takeaway
Because ConsentFix abuses legitimate identity workflows rather than exploiting a software flaw, any Microsoft-based environment with browser access and first-party app usage should assume potential exposure, particularly for high-privilege or cloud-enabled users.
Microsoft Entra ID (Azure AD)
Exposure: High
Why It Is Affected
OAuth authorization codes generated during legitimate sign-ins can be hijacked and reused by attackers.
Microsoft Entra ID Azure AD OAuth Hijacking Authorization Code Reuse Legitimate Session Abuse
End-user Web Browsers
Exposure: High
Why It Is Affected
The entire attack occurs within the browser, leveraging active Microsoft sessions and normal browsing behavior.
Web Browsers Browser-Based Attack Active Session Leverage Normal Browsing Behavior
Microsoft First-Party Applications
Exposure: High
Why It Is Affected
These apps (e.g., Azure CLI, Teams, Visual Studio, PowerShell) are pre-consented, trusted by default, and cannot be easily restricted like third-party OAuth apps.
Azure CLI Microsoft Teams Visual Studio PowerShell Pre-Consented Trusted by Default Cannot Be Restricted
Users with Cloud Admin, Developer, or Automation Access
Exposure: High
Why It Is Affected
Tokens issued to these accounts enable powerful actions and broad access once compromised.
Cloud Administrators Developers Automation Accounts Powerful Actions Broad Access Privileged Tokens
Organizations Relying on Default OAuth and Conditional Access Settings
Exposure: Medium-High
Why It Is Affected
Legacy scopes and built-in exclusions reduce visibility and weaken expected enforcement.
Default OAuth Settings Conditional Access Legacy Scopes Built-In Exclusions Reduced Visibility Weakened Enforcement
Identity Logging and Monitoring Configurations
Exposure: Medium
Why It Is Affected
Without enhanced logging, ConsentFix activity can blend into normal authentication events.
Identity Logging Monitoring Configuration Insufficient Logging Blends with Normal Activity Detection Challenges

2.0 Preconditions for Exploitation

ConsentFix succeeds not because of a software flaw, but because certain environmental and behavioral conditions are common in modern Microsoft-based workplaces. The attack relies on normal browser usage, trusted Microsoft authentication flows, and default identity configurations that allow first-party applications to operate with broad access. When these conditions are present, attackers can hijack OAuth authorization without triggering the controls organizations typically rely on to stop phishing or account takeover.

Key Preconditions That Enable ConsentFix
Active Microsoft Browser Sessions
Precondition Description
Users are often already signed in to Microsoft services in their browser, allowing the OAuth flow to complete with minimal friction and sometimes without re-authentication.
Active Sessions Browser Sign-In Microsoft Services Minimal Friction No Re-Authentication OAuth Flow
Use of Trusted First-Party Microsoft Applications
Precondition Description
Applications such as Azure CLI, PowerShell, Teams, and Visual Studio are trusted by default, pre-consented in tenants, and cannot be easily blocked, making them ideal targets for token abuse.
Azure CLI PowerShell Microsoft Teams Visual Studio Trusted by Default Pre-Consented Cannot Be Blocked
Standard OAuth Authorization-Code Behavior
Precondition Description
The authorization code is generated and displayed in a localhost redirect URL during legitimate application sign-in, creating an opportunity for social-engineering-based interception.
Authorization Code Localhost Redirect URL Display Legitimate Sign-In Interception Opportunity Social Engineering
Reliance on Default Conditional Access and Logging Settings
Precondition Description
Legacy scopes, built-in exclusions, and limited logging for certain OAuth events reduce visibility and weaken expected enforcement in many environments.
Default Settings Legacy Scopes Built-In Exclusions Limited Logging Reduced Visibility Weakened Enforcement
User Willingness to Follow Routine "Verification" Prompts
Precondition Description
ClickFix-style instructions that involve copying and pasting URLs feel harmless and familiar, especially when framed as a standard security or access check.
ClickFix Technique Copy-Paste Instructions Verification Prompts Feels Harmless Familiar Pattern Security Framing
Delivery Through Normal Web Browsing Rather Than Email
Precondition Description
Compromised, high-reputation websites accessed via search results bypass email security controls and reduce user suspicion.
Web Browsing Compromised Websites High-Reputation Sites Search Results Bypasses Email Security Reduced Suspicion

3.0 Threat Actor Utilization

Current intelligence indicates that ConsentFix is being used by highly capable, state-aligned threat actors, rather than opportunistic cybercriminals. Push Security’s analysis, corroborated through collaboration with multiple research teams, assesses with moderate to high confidence that the observed campaign is linked to APT29, a Russian state-affiliated group historically associated with stealthy credential theft, identity abuse, and long-term access operations. The technique aligns closely with APT29’s known preference for low-noise, identity-centric tradecraft that avoids malware deployment and prioritizes persistence through legitimate access paths. Importantly, ConsentFix appears to be an evolution of earlier Russia-linked campaigns that relied on manual social engineering to obtain OAuth authorization material, now refined into a scalable, browser-native approach.

Threat Actors Using ConsentFix and OAuth Hijacking
Analyst Note
The rapid community replication and refinement of ConsentFix shortly after disclosure suggest that this technique is likely to spread beyond its initial state-aligned use. While currently associated with sophisticated actors, its reliance on social engineering rather than custom tooling lowers the barrier for broader adoption by financially motivated groups and access brokers targeting Microsoft cloud environments.
APT29
Attribution
Russia state-affiliated
Technique Applied
OAuth authorization-code hijacking via ConsentFix
Operational Objective
Covert Microsoft account takeover without credentials or MFA
APT29 Russia State-Affiliated OAuth Hijacking ConsentFix Authorization Code Account Takeover No Credentials MFA Bypass Covert Access
Russia-Linked Actors
Attribution
Reported by Volexity
Technique Applied
Manual OAuth code capture via social engineering
Operational Objective
Establish persistent cloud access through token abuse
Russia-Linked Volexity Report Manual Code Capture Social Engineering OAuth Abuse Persistent Access Cloud Access Token Abuse
Emerging Copycat Actors
Attribution
Anticipated threat actors
Technique Applied
Browser-native ClickFix-style OAuth phishing
Operational Objective
Monetization, access resale, or lateral cloud compromise
Emerging Threat Copycat Actors Anticipated Browser-Native ClickFix-Style OAuth Phishing Monetization Access Resale Lateral Compromise Cloud Targeting

4.0 Historical Exploit Timeline

ConsentFix’s evolution is best understood as a rapid shift from niche OAuth abuse into a repeatable, web-delivered account takeover workflow. The timeline below highlights how earlier “authorization code capture” tactics matured into a scalable campaign delivered through compromised websites, then quickly expanded as researchers identified additional first-party Microsoft applications that could be abused under common enterprise configurations. The speed of iteration matters: once a technique is proven reliable and low-friction, it tends to spread beyond a single actor and becomes a durable part of the phishing playbook.

ConsentFix Evolution Timeline - 2021 to 2026
2021–2025
Milestone
Early targeted OAuth "authorization code capture" tradecraft observed
Impact
Established the core concept: hijacking legitimate OAuth flows can bypass password/MFA-focused defenses if the attacker can obtain the right OAuth material
Early Tradecraft Authorization Code Capture Core Concept Established OAuth Flow Hijacking Bypasses MFA
July 2025
Milestone
Public reporting ties Russian-aligned intrusions to OAuth authorization-code abuse
Impact
Confirmed real-world viability in targeted operations, reinforcing that this is not theoretical phishing
Public Reporting Russian-Aligned Real-World Viability Targeted Operations Not Theoretical
December 2025
Milestone
ConsentFix operationalized at scale via compromised websites
Impact
Expanded reach and reduced dependence on email controls by shifting to web/search-driven victim acquisition
Operationalized at Scale Compromised Websites Expanded Reach Web-Driven Bypasses Email Security
December 2025
Milestone
ConsentFix publicly defined and analyzed
Impact
Clarified the mechanism: victim-generated localhost URL contains an authorization code that the attacker replays to complete OAuth on their device
Public Definition Technical Analysis Mechanism Clarified Localhost URL Code Replay
December 2025
Milestone
Technique iterations reduce victim friction
Impact
Lower effort for victims increases success rates and accelerates adoption by additional actors
Technique Iterations Reduced Friction Higher Success Rates Accelerated Adoption
December 2025
Milestone
Additional vulnerable first-party Microsoft apps identified
Impact
Broadened the abuse surface from one target app into a reusable pattern across multiple trusted applications
Additional Apps Identified First-Party Microsoft Broadened Attack Surface Reusable Pattern Multiple Targets
January 2026
Milestone
Updated campaign debrief consolidates findings and likely attribution
Impact
Reinforced scale, evasion, and state-aligned linkage; increases likelihood of near-term copycats and variants
Campaign Debrief Attribution Confirmed State-Aligned Scale Reinforced Copycat Risk
January 2026
Milestone
Wider publication of investigation playbooks and mitigations
Impact
Awareness improves defense, but public playbooks also lower barriers for adversaries to replicate and modify the technique
Investigation Playbooks Mitigations Published Improved Defense Lower Replication Barrier Adversary Knowledge

5.0 Recommendations for Mitigation

5.1 Rapid Containment and Tenant Hardening

  • Close the immediate exposure window by prioritizing policy and configuration changes that reduce the ability to complete OAuth-based takeovers, then validate coverage with targeted checks across Entra ID sign-in and audit telemetry.

5.2 Constrain First-Party App Access to “Need-to-Use” Populations

  • Create explicit service principals for high-risk first-party apps commonly abused in ConsentFix-style flows (starting with Azure CLI and Azure PowerShell) and limit who can use them to tightly scoped admin and developer groups. This reduces the number of users who can be successfully phished into granting usable tokens, and it prevents broad tenant-wide exposure in which any employee account can be used as an access path to cloud administration.

5.3 Tighten Conditional Access Around OAuth Token Acquisition, Not Just Login

  • Re-evaluate Conditional Access assumptions that focus on interactive sign-in alone. Require stronger controls for access to sensitive cloud resources and administrative surfaces, even when the initial authentication is “legitimate,” and explicitly review exclusions that apply to Microsoft first-party apps or legacy resources. The objective is to ensure that obtaining a token is not equivalent to being trusted for high-impact actions.

5.4 Increase Visibility for Legacy and Under-Logged OAuth Activity

  • Enable and retain the log sources that capture older and less visible OAuth activity patterns and build a review process around them. ConsentFix’s advantage is that it can leverage legacy scopes and resources that are not highlighted in default monitoring, thereby improving log coverage and retention, which directly reduces dwell time and makes post-compromise validation feasible during incident response.

5.5 Treat High-Risk Browser Paths as an Identity Control Surface

  • Reduce exposure to search-driven “watering hole” delivery by tightening controls on how corporate identities are used in everyday browsing. This includes minimizing situations where users are already logged into Microsoft in a general-purpose browser session and separating privileged cloud administration from routine web activity through dedicated, controlled browser profiles or hardened access workstations. This does not rely on endpoint tooling; it reduces the chance that a single deceptive page can convert an existing session into an account takeover event.

5.6 Establish a Playbook for Token-Based Compromise and Rapid Credential Hygiene

  • Prepare for the reality that token theft and token replay behave differently from password compromise. Define a response path that includes immediate session invalidation, revocation of refresh tokens, targeted review of app consent and sign-in events, and fast credential rotation for accounts that accessed privileged resources after the suspicious authorization. The goal is to remove attacker-persistence mechanisms that persist after password changes.

6.0 Hunter Insights

ConsentFix-style OAuth phishing will likely drive a broader shift toward identity-layer attacks that bypass passwords and MFA by targeting trusted first‑party cloud applications, browser sessions, and token flows instead of traditional credential theft. As state-aligned groups like APT29 continue operationalizing this technique and security research further documents vulnerable apps and scopes, financially motivated actors and access brokers are expected to adopt copycat variants that weaponize compromised search results and high‑reputation websites to harvest authorization codes at scale, turning OAuth token replay into a common precursor for cloud account takeover and long‑term tenant persistence.

Over the next 12–24 months, defenders should anticipate an arms race around token-centric tradecraft in Microsoft Entra ID: attackers will increasingly chain ConsentFix-style flows with legacy scopes, Conditional Access exclusions, and under-logged first‑party apps to blend into normal administrative activity, while organizations will be forced to re-architect controls around who can reach high‑risk apps, how and where browser sessions are used, and how quickly anomalous OAuth grants and refresh tokens can be detected, revoked, and hunted across cloud environments.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.