The Three-Second Account Takeover
Cybercriminals have developed sophisticated tactics to hijack Microsoft 365 accounts with alarming speed, often within three seconds. Two prominent attack methods, dubbed ConsentFix and ClickFix, leverage weaknesses in the OAuth authorization framework and social engineering to bypass multi-factor authentication (MFA) and gain complete control over user accounts.
These attacks target the legitimate process by which applications request permission to access user data or perform actions on their behalf within Microsoft 365. Instead of a legitimate application, attackers use malicious ones disguised with convincing prompts. When a user inadvertently grants consent to these malicious applications, the attackers can steal authentication tokens, effectively impersonating the user and accessing their sensitive data, sending emails, and even making configuration changes.
The speed of these attacks is enabled by the automation inherent in phishing-as-a-service (PhaaS) platforms. Tools like EvilTokens and its apparent affiliate ARToken provide attackers with pre-built kits designed to streamline the creation and deployment of these consent-based phishing campaigns. Researchers have gained insight into these operations, revealing the intricate methods used to compromise M365 environments.

How ConsentFix and ClickFix Work
At their core, both ConsentFix and ClickFix exploit the OAuth 2.0 authorization code grant flow. This flow is designed to allow users to grant third-party applications access to their data without sharing their credentials directly. The process typically involves a redirect to the identity provider (Microsoft, in this case), user authentication, and then a consent screen where the user approves the application's requested permissions. Upon approval, the identity provider issues an authorization code, which the application exchanges for access and refresh tokens.
Attackers using ConsentFix and ClickFix create malicious applications registered within Azure AD. These applications are crafted to request broad or sensitive permissions. The crucial step involves tricking the user into initiating this OAuth flow. This is often achieved through phishing emails or messages that contain a link. When the user clicks the link, they are redirected through a series of legitimate-looking Microsoft pages, culminating in a consent screen for the attacker's application.
The 'ConsentFix' aspect refers to the attacker's ability to fix or maintain the consent they have obtained. Once a user grants consent, the malicious application receives tokens. These tokens can be used immediately to access resources or can be used to re-authenticate the user later. The 'ClickFix' aspect highlights the immediacy of the compromise – a single click on a malicious link, followed by granting consent, can lead to account takeover.
A key differentiator in these attacks is how they handle the redirect and token exfiltration. Attackers often use techniques to make the process appear seamless. Some methods might involve intercepting the authorization code after the user grants consent, while others might leverage browser vulnerabilities or specific OAuth flow manipulations to directly steal the tokens. The goal is always the same: to obtain valid tokens that the attacker can use to impersonate the victim.
The Role of Phishing-as-a-Service (PhaaS)
Platforms like EvilTokens, and potentially its affiliate ARToken, are instrumental in lowering the barrier to entry for these sophisticated attacks. These services provide attackers with pre-configured phishing pages, email templates, and the backend infrastructure needed to manage the OAuth consent flows and exfiltrate tokens.
ARToken, in particular, has been observed by researchers as a PhaaS platform offering a comprehensive toolkit for compromising Microsoft 365. This suggests a more organized and widespread effort behind these attacks, moving beyond individual actors to a service model where malicious capabilities are rented or sold.
The EvilTokens toolkit, as exposed through ARToken, includes features for generating malicious OAuth applications, crafting convincing phishing lures, and managing the stolen tokens. This level of sophistication means that even technically less skilled individuals can launch highly effective account takeover campaigns. The service provides the 'how-to' for hijacking accounts, abstracting away the complex technical details.
The surprising detail here is not the existence of phishing kits, but their extreme specialization and efficiency in targeting the OAuth consent mechanism. These kits are not general-purpose phishing tools; they are finely tuned instruments designed to exploit a specific, legitimate authentication protocol within Microsoft 365, making them particularly insidious.
Mitigation and Defense Strategies
Defending against ConsentFix and ClickFix requires a multi-layered approach focusing on user education, technical controls, and vigilant monitoring.
User Education
- Awareness Training: Educate users about the risks of phishing and the specific threat of malicious OAuth consent requests. Teach them to scrutinize consent screens, question unexpected permission requests, and verify the legitimacy of applications before granting access.
- Phishing Simulations: Regularly conduct simulated phishing attacks to test user awareness and reinforce training.
Technical Controls
- Azure AD Application Consent Policies: Administrators should configure Azure AD to restrict which users can grant consent to applications. Implementing a 'publisher verification' requirement or requiring admin consent for all new applications can significantly reduce the attack surface.
- Monitor OAuth App Permissions: Regularly review and audit all granted application permissions within Azure AD. Remove any unnecessary or suspicious applications and their associated permissions.
- Conditional Access Policies: Utilize Microsoft 365's Conditional Access policies to enforce stricter authentication requirements, such as requiring MFA for all users or for access to sensitive applications. Implement session controls to limit the lifespan of accessed tokens.
- Security Monitoring and Alerting: Implement robust logging and monitoring for Azure AD sign-ins, consent grants, and application activity. Set up alerts for suspicious activities, such as large numbers of consent grants from a single user or access from unusual locations.
- Disable Legacy Authentication: Ensure that legacy authentication protocols are disabled, as they are often easier to compromise.
If you manage Microsoft 365 accounts, you need to act now. Review your Azure AD application consent policies and audit existing application permissions immediately. The speed and stealth of these attacks mean that waiting for a breach notification is too late.
Broader Implications
The proliferation of ConsentFix and ClickFix highlights a critical vulnerability in the widespread adoption of cloud identity and access management systems. While OAuth and OpenID Connect are essential for modern application integration, their inherent flexibility can be exploited by sophisticated attackers.
This trend indicates a shift in attacker methodologies, moving from traditional credential stuffing and brute-force attacks to more nuanced social engineering and protocol exploitation. The rise of PhaaS platforms further democratizes these advanced attack techniques, making them accessible to a wider range of threat actors.
For organizations, this means that robust identity security is no longer just about strong passwords and MFA. It requires a deep understanding of authorization flows, vigilant monitoring of application permissions, and continuous user education. The battle for cloud account security is increasingly fought at the consent screen.
