Microsoft 365 accounts fall to OAuth-based attacks that bypass multifactor authentication entirely. Security researchers uncovered two attack techniques, ConsentFix and ClickFix, that harvest authentication tokens in under three seconds.
Both attacks exploit the OAuth consent flow, a legitimate process where applications request permission to access user data. ConsentFix deploys a fake login prompt that mimics Microsoft's authentication interface. When users enter credentials, attackers capture the session tokens directly. ClickFix follows a similar pattern but uses social engineering to trick users into clicking malicious links that trigger the OAuth flow.
The attacks work because they target the token itself rather than the password. Once an attacker obtains a valid OAuth token, they gain immediate access to the target account, calendar, email, and cloud storage. Multifactor authentication provides no protection because the token generation happens before MFA verification occurs in the attack chain.
The speed is the defining characteristic. Attackers complete token capture and account access within seconds, leaving victims with minimal time to detect or interrupt the attack. This rapid exploitation makes detection difficult for security tools that rely on behavioral analysis or anomalous login patterns.
Organizations using Microsoft 365 face elevated risk, particularly if employees lack training on OAuth phishing tactics. Threat actors can use compromised accounts to move laterally within enterprise networks, access sensitive files, or establish persistence for follow-on attacks.
Microsoft has recommended several defensive measures. Organizations should enforce passwordless sign-in using Windows Hello or FIDO2 security keys, which eliminate token-based attacks entirely. Conditional access policies can restrict token usage based on device compliance and location. Email filtering should block suspicious OAuth consent prompts. User training on OAuth phishing remains critical, as the attacks depend on social engineering.
The ConsentFix and ClickFix techniques highlight a vulnerability in OAuth workflows that affects any cloud service using OAuth authentication, not
