Could Your Next Quick Click Hand Over Your Microsoft 365 Session in 3 Seconds? (OAuth Token Theft Explained)

July 4, 2026
by
Arjun Bhatnagar
deleteme

You know that feeling when you’re trying to open a file share fast—Dropbox, DocSend, maybe a “password-protected” page—so you click through without thinking? That autopilot is the whole point. New scams like ClickFix and ConsentFix are built to look like routine friction: a CAPTCHA, a “verification” hotkey sequence, a weird little step to “finish sign-in.” The punchline is brutal: attackers don’t need your password. They want your Microsoft 365 session tokens—and ConsentFix is designed to steal them through what looks like a legitimate OAuth sign-in/consent flow.

What’s actually being stolen: OAuth tokens (not your password)

That’s why ClickFix and ConsentFix feel so unfair. You can do everything “right” in your head—use MFA, avoid typing your password into random forms—and still lose the account.

Because the prize isn’t your password. It’s your Microsoft 365 session tokens.

OAuth tokens, in plain English: the wristband, not the ID check

When you sign into Microsoft 365, Microsoft Entra ID (Azure AD) runs an OAuth consent/sign-in flow. If you pass the checks (password + MFA), Microsoft issues tokens to your browser/app that say, “This user already proved who they are.”

A clean way to think about it:

  • Password + MFA = getting checked at the entrance
  • OAuth access token / session token = the wristband that lets you walk back in all day
  • Token theft = someone steals the wristband, not your wallet

Once an attacker has the token, they can often replay it to get access to the same Microsoft 365 services you already had open—Outlook, OneDrive, SharePoint—without re-entering credentials. That’s why reports keep calling this session hijacking and MFA bypass.

Why “I have MFA on” doesn’t save you from session hijacking

MFA is great at stopping someone who only has a password. It’s weaker against someone who already has a valid session token.

ConsentFix targets exactly that weak spot by shifting the attack surface to the place users trust most: the familiar Microsoft 365 OAuth prompts people click through every day.  The victim isn’t “logging into a fake page” in the classic sense. They’re finishing what looks like a legit authentication flow—then the session itself is what gets stolen.

What token theft looks like in real life (from the victim’s seat)

No dramatic “your password was wrong” moment. It’s quieter:

  1. You click a link to view a doc.
  2. You complete a normal-looking Microsoft sign-in/consent step.
  3. Minutes later, someone else is inside your Microsoft 365—reading mail, pulling files, sending replies that look like you.

That’s the shift. Traditional phishing tries to steal what you know (passwords). These campaigns go after what you already earned—a valid Microsoft 365 session.

ConsentFix + ClickFix: how “normal behavior” turns into compromise

Token theft sounds advanced. The setup isn’t. The whole trick is getting you to do something you’ve done a hundred times—just in the wrong place.

ConsentFix and ClickFix pull this off in two different ways. One targets your identity session. The other targets your device.

ClickFix: “Press these keys to verify” (you run the command)

ClickFix doesn’t break in. It convinces you to open the door.

Victims see a fake prompt that looks like routine website friction (think verification steps), then it tells them to press a sequence of keyboard shortcuts. Those hotkeys paste and execute attacker-supplied commands on the victim’s own machine .

Common traits of the ClickFix pattern:

  • Hotkey instructions that feel like “IT-ish” troubleshooting
  • The user is pushed to move fast (“quick verification” vibes)
  • The end result is command execution without any exploit needed

If you’re picturing PowerShell getting launched in the background, you’re thinking in the right direction. The user did the execution for them.

ConsentFix: “Finish sign-in” (you hand over the session)

ConsentFix is quieter, and that’s what makes it nasty.

Attackers place the victim into what looks like a standard Microsoft 365 sign-in experience and ride the trust people already have in Microsoft’s OAuth consent flow . Then comes the weird step: the page asks the user to complete the process by dragging a localhost callback link into the browser .

That drag-and-drop is the trap. It’s not “finishing login.” It’s the moment the user unknowingly surrenders OAuth tokens .

The telltale red flag

Any sign-in flow that asks you to:

  • drag a link,
  • interact with localhost,
  • or do anything outside normal Microsoft prompts

…should be treated as hostile until proven otherwise.

Why the lure feels safe: trusted delivery, extra “legitimacy” layers

A lot of these campaigns aren’t sent as a sketchy attachment from a random domain. They’re often delivered through trusted platforms like Dropbox or DocSend, and sometimes the shared content is even password-protected, which can also make it harder for security tooling to inspect .

That’s the psychology:

  • “It’s a DocSend, it must be fine.”
  • “It has a password, it must be legit.”
  • “It’s Microsoft’s sign-in screen, what could go wrong?”

ClickFix turns that trust into code execution. ConsentFix turns it into Microsoft 365 OAuth token theft—fast.

Why your usual “phishing instincts” fail here (and why this is spreading fast)

Once you’ve seen a few classic phishing emails, you build a mental filter: bad grammar, weird domains, “urgent” subject lines, attachments you didn’t ask for.

ClickFix and ConsentFix slide right past that filter because they don’t feel like phishing. They feel like internet chores.

The psychological edge: attackers hide inside your autopilot

Most people don’t get tricked by a blatant “enter your password here” page anymore. They get tricked by steps that look like normal friction:

  • “Prove you’re human” CAPTCHAs
  • Cookie popups you accept without reading
  • “Press this to continue” prompts that look like basic troubleshooting
  • “Finish sign-in” steps that look like standard Microsoft login flow

Attackers aren’t fighting your security awareness training. They’re using your muscle memory.

Another reason your instincts fail: the victim often isn’t “making a risky choice” in their mind. They’re following instructions that look like routine admin steps, and the bad outcome shows up later as “weird inbox activity,” not an immediate error message.

Why this is spreading fast in 2026: the ConsentFix playbook got published

A big shift happened in early March 2026: a detailed ConsentFix walkthrough was posted on a public Russian cybercrime forum, including working code, infrastructure screenshots, and a video tutorial showing how to build and deploy the attack.

That matters because it slashes the skill barrier. You no longer need a highly technical crew to pull off Microsoft 365 OAuth token theft at scale—you need the patience to follow a guide.

Targeting got easier too: pretexting with LinkedIn

That same forum post also described how attackers profile targets before sending anything, using LinkedIn and similar sources to map orgs and tailor lures to real people.

So the message you get isn’t random. It’s “close enough” to your job to trigger autopilot.

And that’s why these campaigns keep landing: they don’t ask you to ignore red flags. They ask you to do what you already do—fast.

Tactical defenses that actually help (identity controls + endpoint + user cues)

If these attacks win by looking routine, your defenses have to assume someone will click. The goal is to limit what a stolen OAuth token can do, and catch the compromise fast using identity + endpoint signals.

Identity controls: tighten the OAuth consent blast radius

ConsentFix abuses the fact that users are trained to breeze through Microsoft 365 sign-in/consent prompts . So treat OAuth as a real control plane, not “just login UX.”

Do this in Microsoft Entra ID:

  • Lock down user consent

Reduce or disable end-user consent to apps where it fits your org, and move requests into an admin consent workflow so random prompts don’t become “normal.”

  • Audit app permissions (OAuth scopes)

Review which apps have access to Exchange/Graph-type permissions and remove anything you don’t recognize or don’t need.

  • Watch for “new session” signals, not just failed logins

Token replay-style takeovers often show up as new session logins from unexpected locations . Make those alerts loud.

  • Treat unexpected consent prompts as an incident

If a user reports “Microsoft asked me to approve something weird,” don’t route it to training. Triage it like a compromise attempt.

Endpoint detection: hunt for the ClickFix footprint

ClickFix’s advantage is that it gets the user to execute the payload themselves. That leaves endpoint traces you can actually hunt.

Build detections for:

  • Unusual PowerShell activity tied to normal user behavior (browser, Office apps, Explorer)
  • PowerShell launched with suspicious command lines (encoded commands, download cradles, hidden windows)
  • Parent/child process chains that don’t make sense for how your org normally works

User cues that work: train for specific tells

Generic “don’t click links” training won’t keep up. Give people simple tripwires:

  • Any site instructing hotkeys to “verify” or “fix” something is a stop sign
  • Any sign-in flow asking you to interact with localhost (or drag a link) is a stop sign
  • “Finish sign-in” steps that feel extra or out-of-band: pause and report

One practical add-on that helps outside the enterprise stack: reduce how often employees hand out real identifiers in the first place. Cloaked is useful here for high-risk situations like file-share signups or one-off vendor access, because it gives you masked emails/phone numbers you can shut off if they start getting abused—without changing your real Microsoft 365 identity.

View all

2026 Data Breach Tracker: Latest Incidents and Recovery Steps

Data Breaches
by
Arjun Bhatnagar

Could Your Servers Be Next for AI Ransomware? What JadePuffer’s “AI Agent” Attack Means for You

Data Breaches
by
Abhijay Bhatnagar

Was Your Medtronic Data Exposed in This Data Breach—and What Should You Do Next?

Data Breaches
by
Abhijay Bhatnagar