Drag, Drop, Hijacked: How 'ConsentFix' Steals Microsoft 365 Sessions in Seconds
A new twist on the ClickFix trick turns Microsoft's own sign-in prompts into a session-theft machine — and a step-by-step guide is now circulating on a Russian crime forum.

Key points
- A new attack called ConsentFix hijacks Microsoft 365 accounts by tricking users into dragging a link into their browser during what looks like a normal sign-in.
- The technique steals OAuth session tokens directly, sidestepping passwords and multi-factor authentication.
- A full walkthrough — with code, screenshots and a video tutorial — was posted to a public Russian cybercrime forum by early March 2026.
- Phishing lures are being delivered through trusted file-sharing services including Dropbox and DocSend, sometimes password-protected to evade scanners.
- The parent technique, ClickFix, surged through 2025 and remains active.
The attack takes about three seconds. A user drags what looks like a harmless link into their browser to finish signing in. By the time the page settles, a criminal has the keys to their Microsoft 365 mailbox.
This is ConsentFix, first reported in detail by BleepingComputer. It is the newest evolution of a family of tricks that don't break into systems so much as gently ask the victim to open the door.
What actually happens to the victim?
The user gets a phishing email — a fake message designed to look legitimate — often delivered through a real service like Dropbox or DocSend. Sometimes the file is password-protected, which sounds reassuring but mainly stops security scanners from seeing inside.
Click through, and a Microsoft sign-in screen appears. It looks right because, structurally, it is right. It's Microsoft's own OAuth consent page. OAuth is the system that lets you approve one app to talk to another without sharing your password.
The screen asks the user to drag a small "localhost callback" link into their browser bar to finish the process. That drag is the trap.
Instead of completing a harmless step, the user hands the attacker an OAuth token — a digital pass that grants access to their mailbox and files. No password is typed. No multi-factor code is requested. The session itself is stolen.
Why does this keep working?
Because we've all been trained to click through prompts without reading them. Cookie banners, CAPTCHAs, "allow this app" screens — they blur into background noise.
The older cousin of this attack, ClickFix, exploits the same reflex. It shows a fake verification prompt telling the user to press a specific keyboard combination. Those keystrokes paste and run a command the attacker supplied, installing malware on the victim's own machine.
ClickFix surged through 2025. ConsentFix is the version that skips the malware entirely and goes straight for the cloud account.
Is this now easy for any criminal to copy?
Yes. By early March 2026, a detailed ConsentFix guide was posted on a public Russian cybercrime forum. The post included working code, screenshots of the infrastructure, and a video showing how to set the whole thing up.
The infrastructure relies on free or cheap services. The guide also explains how to profile targets first — scraping LinkedIn to identify real staff and tailor lures to specific people at specific companies.
A technique that once required real skill now ships with documentation.
What should ordinary users and IT teams do?
For everyday users: pause when a website asks you to do something unusual to "verify" yourself. Legitimate services do not ask you to drag links into your browser bar, paste text into the Windows Run box, or press odd keyboard combinations to prove you're human. If a sign-in flow feels theatrical, close the tab.
For IT teams: awareness training helps, but it isn't enough on its own, because these attacks are engineered to look routine. Watch for the traces they leave: PowerShell running from ordinary user processes, and Microsoft 365 sessions logging in from unexpected countries or new devices. Review which OAuth apps have been granted access to your tenant, and revoke anything unfamiliar.
If you think you've been caught by this, sign out of all Microsoft 365 sessions immediately, reset your password, and ask your admin to revoke active refresh tokens and check the consented applications list for your account.



