ConsentFix browser-native OAuth consent phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The ConsentFix campaign is a ClickFix-style OAuth consent phishing operation that hijacks Microsoft accounts by abusing the Azure CLI OAuth app. In the reported flow, victims land on a compromised legitimate website, pass a fake Cloudflare Turnstile check, and are guided to complete a Microsoft sign-in flow that yields an OAuth authorization code. Attackers then exchange that code for account access, bypassing the need for a password or MFA. The activity was described by Push Security and includes filtering for intended targets, with defenders advised to monitor unusual Azure CLI logins and legacy Graph scopes.
Related Happenings
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Poisoned Tenant OpenAI organization invite campaign
Campaign
H score35
First: 26.06.2026 20:49
Last: 26.06.2026 20:49
Sources 1
About this happening:
The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...
Poisoned Tenant OpenAI organization invite campaign
CampaignAbout this happening: The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...
FortiBleed Fortinet credential-theft campaign
Campaign
H score89
First: 19.06.2026 13:48
Last: 19.06.2026 13:48
Sources 1
About this happening:
The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
FortiBleed Fortinet credential-theft campaign
CampaignAbout this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
Latest development: 22.06.2026 11:30
The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.
Instagram accounts for Obama White House hit by account takeover attack
Incident
H score40
First: 01.06.2026 20:32
Last: 01.06.2026 20:32
Sources 1
About this happening:
The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...
Instagram accounts for Obama White House hit by account takeover attack
IncidentAbout this happening: The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...
Timeline
-
14.01.2026 17:01 3 articles · 5mo ago
ConsentFix public debrief and campaign recap
Initial DisclosurePush Security described ConsentFix, a browser-native OAuth consent phishing campaign that used ClickFix-style social engineering to hijack Microsoft accounts, ran across a large network of compromised websites, and was detected across multiple customer estates; the disclosure also noted a Russian state-affiliated APT29 linkage and recommended enabling AADGraphActivityLogs, hunting for Azure CLI and other first-party Microsoft app IDs, and tightening Conditional Access around vulnerable Microsoft apps.
Show sources
- ConsentFix debrief: Insights from the new OAuth phishing attack — www.bleepingcomputer.com — 14.01.2026 17:01
- ConsentFix debrief: Insights from the new OAuth phishing attack — www.bleepingcomputer.com — 14.01.2026 17:01
- New ConsentFix attack hijacks Microsoft accounts via Azure CLI — www.bleepingcomputer.com — 11.12.2025 17:10