ConsentFix
ConsentFix is a ClickFix variant that does NOT execute malware. Instead, it tricks victims into copying a localhost URL containing an OAuth authorization token and pasting it into a phishing page. The attacker uses the captured token to log into Azure CLI, gaining access to Microsoft 365, Azure resources, and corporate data. This is pure credential theft via copy-paste social engineering with no executable payload. Reported by Push Security in late 2025.
To complete the verification, please copy the URL from your browser's address bar and paste it in the box below.
Copy the URL from your browser's address bar
Paste it in the verification box below
Click Verify
References:
Mitigations:
Educate users to never copy/paste browser URLs into third-party pages
Monitor for OAuth authorization code reuse from unexpected IPs
Implement Conditional Access policies requiring compliant devices
Monitor Azure AD sign-in logs for Azure CLI logins from unusual locations
Restrict OAuth consent to admin-approved applications