Home/News/Microsoft 365 Accounts Hijacked in Seconds by ConsentFix
BleepingComputer3 min read

Microsoft 365 Accounts Hijacked in Seconds by ConsentFix

Microsoft 365 accounts are vulnerable to rapid hijacking through sophisticated phishing techniques known as ConsentFix and ClickFix. These attacks, which can compromise accounts in as little as three seconds, exploit the OAuth authorization framework to steal user tokens and bypass multi-factor authentication (MFA). The primary mechanism involves tricking users into granting malicious applications extensive permissions through deceptive consent prompts.

Researchers detailed how these attacks leverage the OAuth consent flow, a standard process for granting third-party applications access to user data. Attackers craft highly convincing fake prompts that mimic legitimate Microsoft 365 permission requests. When a user inadvertently approves these prompts, the malicious application receives an authorization token. This token can then be used by the attacker to impersonate the user, gaining access to their emails, files, and other sensitive data within the Microsoft 365 ecosystem without needing the user's password or MFA code.

The ClickFix variant specifically targets the click-based interaction within the OAuth flow. Attackers create a scenario where a single click on a malicious link initiates the authorization process. This streamlined approach minimizes user interaction and reduces the likelihood of suspicion, making the attack highly efficient. The speed at which these tokens are stolen and utilized means that by the time a user or security team detects the compromise, significant damage may have already occurred.

Defending against ConsentFix and ClickFix requires a multi-layered approach focusing on user education and robust security configurations. Organizations must train users to meticulously scrutinize all permission requests, looking for unusual application names, excessive permission scopes, and any deviations from expected prompts. Implementing strict policies for third-party application approvals and regularly auditing granted permissions are crucial. Microsoft's security features, such as conditional access policies and advanced threat protection, can also play a role in detecting and blocking suspicious authorization attempts, though the speed of these attacks presents a significant challenge.

Original source — read the full reporting at the publisher:

Read on BleepingComputer

Read next