"It can start with something as mundane as dragging a link into your browser. Three seconds later, a threat actor has the tokens needed to take over your Microsoft 365 account, and you never did anything that traditional security awareness training would flag," Huntress Labs writes.
ClickFix: keyboard-shortcut deception that asks the victim to execute their own compromise
Huntress Labs describes ClickFix as a social-engineering technique that relies on a familiar human reflex: follow a short, routine instruction to move an interaction along. In ClickFix attacks victims are shown a fake prompt instructing them to press a sequence of keyboard shortcuts. Those shortcuts paste and execute attacker-supplied commands on the victim’s machine, enabling malicious activity without exploiting a software vulnerability or forcing a perimeter defense.
According to the source, ClickFix "surged in 2025" and remains active, demonstrating how simple, well-crafted prompts can convert routine behavior into a takeover mechanism.
ConsentFix: turning Microsoft 365 sign-in flows into session theft
The attack variant Huntress calls ConsentFix shifts the exploitation point to Microsoft 365 OAuth consent flows — the authentication steps users commonly accept without close scrutiny. A phishing lure, often delivered via trusted file-sharing platforms such as Dropbox or DocSend and sometimes placed behind a password to hamper security inspection, leads the victim to what appears to be a standard Microsoft authentication screen.
The crucial step is a request that the user drag a "localhost callback" link into the browser. Instead of finishing a harmless local callback, that drag-and-drop action surrenders OAuth tokens to the attacker. Those tokens provide session access to email and other Microsoft 365 services "without a password and MFA bypass," according to Huntress. Victims are not typing credentials into a fake form; they are completing what looks like a legitimate flow while the session itself is exfiltrated.
How criminals have replicated and distributed ConsentFix (March 2026)
Huntress reports that by early March 2026 a detailed, public walkthrough of ConsentFix appeared on a Russian cybercrime forum. The post included working code, infrastructure screenshots, and a video tutorial showing how to build and deploy the attack — effectively packaging the technique for lower-skilled operators.
The walkthrough leaned on free or widely available services, and its authors described profiling targets before sending lures, using LinkedIn and similar tools to map organizations and tailor messages to real people. That combination—step-by-step documentation plus inexpensive infrastructure—lowers the barrier to entry and helps the technique spread.
Detection and mitigation: awareness plus monitoring
Huntress stresses that stopping these attacks requires more than conventional security awareness training alone. While a moment of skepticism—asking why a site wants you to press hotkeys or drag a callback link—can interrupt an attack, the technique is explicitly engineered to look routine, which limits the effectiveness of user caution as the sole defense.
Defenders are urged to add detection coverage for the operational traces ConsentFix and ClickFix leave behind: unusual PowerShell activity spawned by normal user processes, or new session logins from unexpected locations. Endpoint and identity monitoring are specifically recommended to surface those signals before a simple action becomes a full account compromise.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: prioritize detection rules for anomalous PowerShell execution and session tokens, and instrument identity telemetry to flag new Microsoft 365 sessions from atypical locations or processes.
- Affected enterprises and procurement leaders: review how external file-sharing links are received and scanned; consider policies around password-protected lures that evade ordinary inspection and adjust phishing-resistant controls for OAuth consent flows.
- End users and the general public: treat unusual requests to press hotkeys or drag localhost callback links as a warning sign and pause to verify the origin and purpose of the request before complying.
The pattern Huntress highlights is consistent: attackers interrupt a normal workflow at the exact moment users are most likely to follow simple instructions. With ClickFix and ConsentFix, the adversary's work is to make the right lie look like the right next step. The defensive response Huntress prescribes pairs basic skepticism with technical detection—because when the victim supplies the action, only monitoring and telemetry can often reveal the theft in time.
Original reporting: https://www.bleepingcomputer.com/news/security/consentfix-and-clickfix-how-microsoft-365-accounts-are-hijacked-in-3-seconds/




