Attackers are using a novel pair of techniques—dubbed ConsentFix and ClickFix—to compromise Microsoft 365 accounts in as little as three seconds. These methods bypass multi-factor authentication (MFA) entirely by tricking users into approving malicious OAuth applications or clicking deceptive prompts that steal session tokens.

Unlike traditional credential harvesting, ConsentFix and ClickFix exploit the trust users place in consent dialogs and permission requests. The attacks do not require the victim to enter a password, making them invisible to most security tools that only monitor for credential theft. Because the tokens are obtained directly through legitimate OAuth flows, they appear normal to authentication systems.

The technical vector involves presenting a fake but convincing Microsoft consent screen. When the user approves, the attacker receives a valid token that grants persistent access to email, files, and other cloud data. Once obtained, the token can be replayed from any device without triggering MFA prompts. Indicators of compromise include unexpected OAuth application grants and login attempts from unfamiliar IP addresses shortly after prompt interaction.

Mitigation requires organizations to adopt Conditional Access policies that restrict OAuth app consent to admin-approved applications only. Microsoft recommends enabling token protection policies and monitoring for anomalous consent grants. However, no universal patch exists, as the vulnerability is inherent to OAuth design rather than a software flaw.

The attacks are particularly insidious because they exploit user behavior rather than technical vulnerabilities. While the specific threat actor behind these campaigns remains unclear, the techniques reflect a broader trend of attackers targeting trust layers in identity systems rather than breaking encryption or stealing passwords.