A new variation of the ClickFix scam tries to get around phishing defenses by capturing an employee’s OAuth authentication token for Microsoft logins.
Researchers at Push Security this week outlined the tactic, which they call ConsentFix, in a blog, calling it “a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block.”
Generally ClickFix attacks display a fake error or counterfeit CAPTCHA verification to a user to get them to copy, paste and execute malicious commands on their devices.
What’s new in a ConsentFix attack is that the attack happens entirely inside a browser, say the researchers, which removes one of the key detection opportunities because the attack doesn’t touch an endpoint.
The attack starts with a victim coming across a legitimate but compromised website they are looking for in a Google search, which completely circumvents email-based anti-phishing controls. Going to the site triggers a fake Cloudflare CAPTCHA-like verification page asking the victim to enter their business email address to prove they’re human. Doing so makes a Microsoft login page pop up which includes a legitimate URL, based on the victim’s email address, that would contain an OAuth token. The victim is asked to copy and paste that URL into a field, again, to verify they are human. The URL is captured by the threat actor, at which point the victim has granted the attacker access to their Microsoft account via Azure’s command line interface, say the researchers.
“At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA (multifactor authentication) check,” says Push Security. “In fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all.”
Christopher Kayser, social engineering expert and president of Canadian-based firm Cybercrime Analytics, says the attack plays on two tactics favored by threat actors: obedience (cut and paste this URL) and trust (this looks like a Microsoft login page). “People think because they are on a trusted [Microsoft] platform that this is OK,” he said in an interview.
But this attack also shows the failures of security awareness training that many organizations perform. If training is effective, employees should suspect there’s something wrong when an app asks for a business email address to confirm they are human, he said, and know that it’s suspicious when they’re asked to cut and paste anything online as a way of proving they are human.
“This is an incredibly new, innovative attack method,” commented Roger Grimes, data-driven defense CISO advisor at KnowBe4. “It’s almost unfair to classify it as a Clickfix subvariant, even though it is.” However, the odds an employee will copy a long URL string as a test of their humanity has to be very, very low, he added. “It screams different and scammy even to the most unknowledgeable user. Can you see your grandparents doing this? Not me. But I’m sure some people do do it, or else the scammers would not try it,” he said.
“My guess is that its rate of success is so, so low that it doesn’t become a popular scam method that most of us need to worry about,” he said. “What we do need to communicate to users is how often Cloudflare’s brand is being used in social engineering scams, and what the correct Cloudflare authentication/validation looks like. The Cloudflare CAPTCHA check has become the fake antivirus screen of today’s world.”
Organizations must recognize that the ConsentFix attack highlights the dangers of implicit trust in first-party applications, and in the continued use of legacy OAuth scopes, said Avivah Litan, lead analyst for AI trust, risk and security management at Gartner. These include older permission sets within Microsoft Entra ID that grant broad access and are not subject to modern security controls or monitoring.
“Attackers exploit these legacy scopes to enumerate directory data, meaning they can systematically retrieve and map out user accounts, groups, and other directory objects within the organization,” she said. “This reconnaissance enables attackers to identify high-value targets and plan further attacks, all without triggering alerts that would be associated with newer, more tightly controlled permissions.”
The most effective mitigation strategy to this kind of attack is a combination of robust monitoring, strengthened consent governance and real-time user protection, Litan noted. “By addressing these foundational issues — specifically, by limiting the use of legacy OAuth scopes, tightening consent processes for all applications, and deploying browser-based security — enterprises can substantially reduce the risk of unauthorized access resulting from OAuth consent abuse and enhance their overall identity security posture.”
Push Security notes that the attack could be successful because targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations don’t apply. Because there’s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack, the researchers add. And the use of advanced detection evasion techniques makes this attack difficult to investigate, meaning these attacks are going undetected.
One of the problems is that most security awareness training isn’t doing enough to lower the odds of employees falling for phishing scams, said Kayser.
He cited a study of phishing messages sent to employees at a California hospital over a period of eight months. Those who had taken a cybersecurity awareness course were just as likely to have fallen for a phishing message as those who didn’t, he said.
Training often fails because instructors talk too much in technical terms, he said. Instead they should explain attacks, how they work and how to recognize them.
“If you can explain to people what’s going on, that sticks,” he maintained.
No Responses