On December 11, 2025, Push Security published research detailing a newly observed browser-based phishing technique called ConsentFix. The name ConsentFix is derived from its similarity to the previously documented ClickFix technique using fake CAPTCHA pages.
ConsentFix, enables threat actors to gain cloud account access without capturing passwords, multifactor authentication (MFA) codes, or other credentials by abusing legitimate OAuth authentication and consent flows. The attack socially engineers users into copying and pasting a valid sign-in URL, allowing identity compromise to occur entirely within the browser session using trusted authentication infrastructure.
ConsentFix captures OAuth authorization codes and cloud access tokens directly through this interaction, enabling full account access without credential exposure. By turning OAuth consent flows into a token-harvesting mechanism, it presents a significant risk of identity compromise for organizations that rely heavily on cloud services.
Attack Flow
The victim is directed to a phishing page that presents a Cloudflare-style verification prompt and requires the user to enter their email address. The page only proceeds if the entered email matches a specifically targeted address and domain; if it does not, the content fails to load and the attack chain ends.
Once a valid email is accepted, the victim clicks a “Sign In” button, which opens a new browser tab pointing to a legitimate Microsoft sign-in URL associated with that email address.
If the victim is already authenticated to Microsoft in their browser, they select their account; otherwise, they log in normally on the legitimate Microsoft login page.
After successful authentication, Microsoft redirects the browser to a localhost URL containing an OAuth authorization code tied to the victim’s account.
The phishing page then instructs the victim to copy and paste this URL back into the original page, allowing the threat actor to capture the authorization code and exchange it for cloud access tokens, completing the compromise.
Recommendations
Avoid Pasting URLs Into Untrusted Sites
Arctic Wolf strongly recommends never pasting authentication URLs, codes, or links from legitimate services into websites that are not fully trusted. This practice is a central tactic in phishing campaigns such as ConsentFix, where threat actors rely on users transferring OAuth URLs to gain account access. Users should always verify the legitimacy of a site before interacting with any unexpected prompts or instructions.
Install Arctic Wolf Agent & Sysmon
Arctic Wolf Agent and Sysmon provide visibility into network and endpoint events to help identify unusual or potentially suspicious activity.
For instructions on how to install Arctic Wolf Agent, see the below install guides:
Sysmon Installation on Windows
If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Endpoint Detection and Response Integrations
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
Implement Comprehensive Security Awareness Training
Arctic Wolf strongly recommends implementing comprehensive security awareness training campaigns. These initiatives are designed to equip users with the skills needed to quickly identify and report suspicious activities. Users should be trained to treat unexpected emails or messages prompting sign-in actions with caution, especially when they lead to workflows that request copying and pasting URLs or authentication links into a webpage, even if the sign-in page itself appears legitimate.
References
