ConsentFix Emerges: Abusing OAuth Trust to Bypass Modern Defenses

January 26, 2026

ConsentFix represents the next evolutionary step in OAuth-based attacks, specifically targeting Microsoft users by abusing legitimate authentication and authorization flows. Rather than stealing credentials or bypassing multi-factor authentication (MFA), ConsentFix exploits trust, leveraging standard OAuth mechanics to obtain authorization codes and access tokens that effectively hand attackers the keys to Microsoft Entra ID.

From ClickFix to ConsentFix

ConsentFix can be understood as a direct evolution of earlier ClickFix attacks. Where ClickFix relied on user interaction quirks to extract sensitive values, ConsentFix modernizes the approach by aligning the attack flow entirely with legitimate OAuth behavior. Security researcher John Hammond recently demonstrated an improved variant of this technique. In his demonstration, the attack no longer required users to copy and paste an authorization code. Instead, users could simply drag and drop the code, removing friction, increasing success rates.

No credentials required

Traditional phishing aims to steal usernames and passwords. ConsentFix, by contrast, bypasses credentials entirely. Adversaries exploit trusted authentication flows to obtain access tokens directly. This is commonly achieved through phishing campaigns delivered via email, messaging platforms, or social media. There are also cases where delivery took place directly through advertising links in search queries. Victims are tricked into interacting with malicious OAuth applications or into completing a Device Code Flow that the attacker has already initiated. At no point does the attacker need the victim’s password. MFA does not fail - it succeeds. The problem is that it succeeds on behalf of the attacker.

OAuth Consent Abuse Explained

In OAuth consent abuse, victims are lured into approving rogue applications that request excessive, misleading, or intentionally vague permissions. Once consent is granted, the application receives an access token scoped to those permissions. The flow typically looks like this:

  1. The victim clicks a malicious link.
  2. They are redirected to Microsoft’s legitimate login page.
  3. After authentication, a consent prompt appears requesting access.
  4. If the user approves, Microsoft redirects the browser to an attacker-controlled redirect URI.
  5. The response includes an authorization code or refresh token scoped with the approved permissions.

With that token, the attacker can obtain access tokens and make authenticated API calls, often against Microsoft Graph, without further user interaction, credentials, or MFA challenges. This access persists until the token expires or consent is revoked.

What defenders can see

Although subtle, ConsentFix does leave detectable traces in logs:

  • Unfamiliar or newly registered OAuth applications
  • Consent granted to apps with broad or unusual scopes
  • Device Code Flow authentications from unexpected sources
  • Access tokens used from IP addresses or geographies inconsistent with the user
  • API activity without corresponding interactive sign-ins

These indicators often appear benign in isolation but become meaningful when correlated.

Detection and prevention strategies

Reducing the risk of ConsentFix-style attacks requires a shift in defensive priorities. Because these attacks succeed through legitimate user authorization, the most effective control is not technical enforcement alone, but educated human decision-making, reinforced by layered safeguards. Training should emphasize:

  • Treating consent prompts with the same caution as credential or MFA requests
  • Recognizing Device Code Flow logins as high-risk and uncommon
  • Questioning why an application requires access before approving it
  • Escalating unexpected or unclear consent requests

Most importantly, treat OAuth tokens as high-value assets. An access token is not “less dangerous” than a password, it is often even more powerful. Technical controls should reduce exposure and limit the impact of mistakes:

  • Restrict user consent to approved or verified applications
  • Require admin approval for new or high-privilege OAuth apps
  • Disable or tightly control Device Code Flow where unnecessary
  • Monitor new OAuth app registrations and consent events
  • Regularly review and revoke unused third-party permissions
  • Apply Conditional Access to constrain token usage where possible

Closing thoughts

ConsentFix highlights a fundamental shift in adversary tradecraft. Attackers are no longer breaking authentication; they are abusing authorization. By operating entirely within legitimate Microsoft Entra ID flows, they achieve stealth, persistence, and scale that traditional phishing struggles to match. Defending against this class of attack requires visibility into OAuth activity, discipline around consent, and a clear understanding that “legitimate” does not always mean “safe.”

Technical controls are essential, but ConsentFix proves that educated employees are your strongest defense. revel8 delivers continuous security awareness training that adapts to emerging threats like OAuth abuse, deepfakes, and advanced social engineering. Transform your workforce from the weakest link into your most powerful security layer.

FAQ

What is ConsentFix and how does it work?

ConsentFix is an OAuth-based attack that exploits Microsoft's legitimate authentication flows to gain unauthorized access. Attackers trick users into approving malicious OAuth applications or completing Device Code Flows, obtaining access tokens without ever stealing passwords. The attack succeeds because it abuses authorization rather than breaking authentication.

Does multi-factor authentication (MFA) protect against ConsentFix attacks?

No. ConsentFix bypasses traditional credential theft, so MFA doesn't fail - it actually succeeds on behalf of the attacker. Since the attack operates within legitimate OAuth flows, MFA cannot prevent it. The user authenticates successfully, but unknowingly grants access to an attacker-controlled application.

How can I detect if my organization has been targeted by ConsentFix?

Look for these warning signs in your logs: unfamiliar OAuth applications requesting consent, newly registered apps with broad permissions, Device Code Flow authentications from unexpected sources, access tokens used from unusual IP addresses or locations, and API activity without corresponding interactive sign-ins. These indicators become meaningful when correlated together.

What's the difference between ConsentFix and traditional phishing?

Traditional phishing steals usernames and passwords. ConsentFix doesn't need credentials at all, it exploits trust in OAuth flows to obtain access tokens directly. This makes it stealthier and more persistent, as attackers gain legitimate-looking access that bypasses most security controls designed to detect credential theft.

How can my organization prevent ConsentFix attacks?

Prevention requires both technical controls and user training. Implement admin approval requirements for new OAuth apps, restrict user consent to verified applications, monitor OAuth activity closely, and regularly audit third-party permissions. Most importantly, train employees to treat consent prompts with the same caution as password requests and to escalate any unexpected authorization requests.

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Last published articles
Leading Security Beyond Compliance: Lessons from Dr. Daniel Schatz
2025 Learnings from 100,000+ Attacks for Your 2026 Defense
Messaging Apps have become a Prime Channel for Phishing and Spyware
‍When AI calls: In-call Training for Maximum Awareness
Activate Your Human Firewall

revel8 GmbH
Merantix AI Campus
Max-Urich-Straße 3
13355 Berlin, Germany

© 2025 Company Shield. All rights reserved.

Politique de ConfidentialitéMentions légalesConditions généralesParamètres des cookies