The bottom line: ConsentFix and ClickFix exploit OAuth consent screens and phishing techniques to steal Microsoft 365 authentication tokens and thereby bypass MFA protection.
Two new attack methods named ConsentFix and ClickFix enable attackers to steal Microsoft 365 tokens through forged permission requests and manipulated OAuth flows. Both techniques circumvent multi-factor authentication and jeopardise enterprise accounts.
In both attack procedures, attackers use forged permission requests and manipulated OAuth flows to extract valid authentication tokens for Microsoft 365 accounts from users. The tokens are intercepted directly from the victim’s browser without multi-factor authentication (MFA) taking effect.
ConsentFix targets Microsoft’s OAuth consent screens, where users grant applications access to their accounts. ClickFix, by contrast, exploits targeted phishing techniques to prompt users to enter authentication credentials or consent to malicious requests. Both methods enable complete account takeover within seconds.
For CISOs, the criticality lies in the fact that these attack patterns circumvent established MFA implementations and thus undermine a widespread security model. The greatest risk stems from the speed of compromise and the fact that token theft is difficult to detect when the tokens are legitimately acquired by the affected user.
To mitigate, it is recommended to increase user awareness regarding suspicious consent prompts, implement Conditional Access to detect anomalous token usage, monitor OAuth app approvals, and restrict third-party applications that are permitted to access Microsoft 365 data.
Source: www.bleepingcomputer.com · Published 2 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.