{"id":6184,"date":"2025-12-12T00:20:44","date_gmt":"2025-12-12T00:20:44","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6184"},"modified":"2025-12-12T00:20:44","modified_gmt":"2025-12-12T00:20:44","slug":"meet-consentfix-a-new-twist-on-the-clickfix-phishing-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6184","title":{"rendered":"Meet ConsentFix, a new twist on the ClickFix phishing attack"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A new variation of the ClickFix scam tries to get around phishing defenses by capturing an employee\u2019s OAuth authentication token for Microsoft logins.<\/p>\n<p><a href=\"https:\/\/pushsecurity.com\/blog\/consentfix\/\" target=\"_blank\" rel=\"noopener\">Researchers at Push Security this week outlined the tactic<\/a>, which they call ConsentFix, in a blog, calling it \u201ca dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block.\u201d<\/p>\n<p>Generally <a href=\"https:\/\/www.csoonline.com\/article\/4096241\/new-clickfix-attacks-use-fake-windows-update-screens-to-fool-employees.html\" target=\"_blank\" rel=\"noopener\">ClickFix<\/a> attacks display a fake error or counterfeit CAPTCHA verification to a user to <a href=\"https:\/\/www.csoonline.com\/article\/4016208\/sixfold-surge-of-clickfix-attacks-threatens-corporate-defenses.html\" target=\"_blank\" rel=\"noopener\">get them to copy, paste and execute malicious commands<\/a> on their devices.<\/p>\n<p>What\u2019s new in a ConsentFix attack is that the attack happens entirely inside a browser, say the researchers, which removes one of the key detection opportunities because the attack doesn\u2019t touch an endpoint.<\/p>\n<p>The attack starts with a victim coming across a legitimate but compromised website they are looking for in a Google search, which completely circumvents email-based anti-phishing controls. Going to the site triggers a fake Cloudflare CAPTCHA-like verification page asking the victim to enter their business email address to prove they\u2019re human. Doing so makes a Microsoft login page pop up which includes a legitimate URL, based on the victim\u2019s email address, that would contain an OAuth token. The victim is asked to copy and paste that URL into a field, again, to verify they are human. The URL is captured by the threat actor, at which point the victim has granted the attacker access to their Microsoft account via Azure\u2019s command line interface, say the researchers.<\/p>\n<p>\u201cAt this point, the attacker has effective control of the victim\u2019s Microsoft account, but without ever needing to phish a password, or pass an MFA (multifactor authentication) check,\u201d says Push Security. \u201cIn fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all.\u201d<\/p>\n<p><a href=\"https:\/\/cybercrimeanalytics.com\/about\/\" target=\"_blank\" rel=\"noopener\">Christopher Kayser<\/a>, social engineering expert and president of Canadian-based firm Cybercrime Analytics, says the attack plays on two tactics favored by threat actors: obedience (cut and paste this URL) and trust (this looks like a Microsoft login page). \u201cPeople think because they are on a trusted [Microsoft] platform that this is OK,\u201d he said in an interview.<\/p>\n<p>But this attack also shows the failures of security awareness training that many organizations perform. If training is effective, employees should suspect there\u2019s something wrong when an app asks for a business email address to confirm they are human, he said, and know that it\u2019s suspicious when they\u2019re asked to cut and paste anything online as a way of proving they are human.<\/p>\n<p>\u201cThis is an incredibly new, innovative attack method,\u201d commented Roger Grimes, data-driven defense CISO advisor at KnowBe4. \u201cIt\u2019s almost unfair to classify it as a Clickfix subvariant, even though it is.\u201d However, the odds an employee will copy a long URL string as a test of their humanity has to be very, very low, he added. \u201cIt screams different and scammy even to the most unknowledgeable user. Can you see your grandparents doing this? Not me. But I\u2019m sure some people do do it, or else the scammers would not try it,\u201d he said.<\/p>\n<p>\u201cMy guess is that its rate of success is so, so low that it doesn\u2019t become a popular scam method that most of us need to worry about,\u201d he said. \u201cWhat we do need to communicate to users is how often Cloudflare\u2019s brand is being used in social engineering scams, and what the correct Cloudflare authentication\/validation looks like. The Cloudflare CAPTCHA check has become the fake antivirus screen of today\u2019s world.\u201d<\/p>\n<p>Organizations must recognize that the ConsentFix attack highlights the dangers of implicit trust in first-party applications, and in the continued use of legacy OAuth scopes, said <a href=\"https:\/\/www.gartner.com\/analyst\/b9cb00be7b\" target=\"_blank\" rel=\"noopener\">Avivah Litan<\/a>, lead analyst for AI trust, risk and security management at Gartner. These include older permission sets within Microsoft Entra ID that grant broad access and are not subject to modern security controls or monitoring. <\/p>\n<p>\u201cAttackers exploit these legacy scopes to enumerate directory data, meaning they can systematically retrieve and map out user accounts, groups, and other directory objects within the organization,\u201d she said. \u201cThis reconnaissance enables attackers to identify high-value targets and plan further attacks, all without triggering alerts that would be associated with newer, more tightly controlled permissions.\u201d<\/p>\n<p>\u00a0The most effective mitigation strategy to this kind of attack is a combination of robust monitoring, strengthened consent governance and real-time user protection, Litan noted. \u201cBy addressing these foundational issues \u2014 specifically, by limiting the use of legacy OAuth scopes, tightening consent processes for all applications, and deploying browser-based security \u2014 enterprises can substantially reduce the risk of unauthorized access resulting from OAuth consent abuse and enhance their overall identity security posture.\u201d<\/p>\n<p>Push Security notes that the attack could be successful because targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations don\u2019t apply. Because there\u2019s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack, the researchers add.\u00a0And the use of advanced detection evasion techniques makes this attack difficult to investigate, meaning these attacks are going undetected.<\/p>\n<p>One of the problems is that most security awareness training isn\u2019t doing enough to lower the odds of employees falling for phishing scams, said Kayser.<\/p>\n<p>He cited a study of phishing messages sent to employees at a California hospital over a period of eight months. Those who had taken a cybersecurity awareness course were just as likely to have fallen for a phishing message as those who didn\u2019t, he said.<\/p>\n<p>Training often fails because instructors talk too much in technical terms, he said. Instead they should explain attacks, how they work and how to recognize them.<\/p>\n<p>\u201cIf you can explain to people what\u2019s going on, that sticks,\u201d he maintained.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A new variation of the ClickFix scam tries to get around phishing defenses by capturing an employee\u2019s OAuth authentication token for Microsoft logins. Researchers at Push Security this week outlined the tactic, which they call ConsentFix, in a blog, calling it \u201ca dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6185,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6184","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6184"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6184"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6184\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6185"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}