Find notable cyber news and cases, enriched with sources, timelines, and signals.

ConsentFix browser-native OAuth consent phishing campaign

Campaign
First reported
Last updated
Happening score
H score 23
1 unique sources, 2 articles

Summary

Hide ▲

The ConsentFix campaign is a ClickFix-style OAuth consent phishing operation that hijacks Microsoft accounts by abusing the Azure CLI OAuth app. In the reported flow, victims land on a compromised legitimate website, pass a fake Cloudflare Turnstile check, and are guided to complete a Microsoft sign-in flow that yields an OAuth authorization code. Attackers then exchange that code for account access, bypassing the need for a password or MFA. The activity was described by Push Security and includes filtering for intended targets, with defenders advised to monitor unusual Azure CLI logins and legacy Graph scopes.

Related Happenings

O-UNC-066 / Pink Microsoft Entra passkey vishing campaign

Campaign
H score37 First: 08.07.2026 19:47 Last: 08.07.2026 19:47 Sources 1

About this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

Poisoned Tenant OpenAI organization invite campaign

Campaign
H score35 First: 26.06.2026 20:49 Last: 26.06.2026 20:49 Sources 1

About this happening: The **Poisoned Tenant** campaign is using fraudulent **OpenAI organizations** to lure targeted employees into shared **ChatGPT workspaces**, creating a risk of sensitive company d...

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Instagram accounts for Obama White House hit by account takeover attack

Incident
H score40 First: 01.06.2026 20:32 Last: 01.06.2026 20:32 Sources 1

About this happening: The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...

Timeline

  1. 14.01.2026 17:01 3 articles · 5mo ago

    ConsentFix public debrief and campaign recap

    Initial Disclosure

    Push Security described ConsentFix, a browser-native OAuth consent phishing campaign that used ClickFix-style social engineering to hijack Microsoft accounts, ran across a large network of compromised websites, and was detected across multiple customer estates; the disclosure also noted a Russian state-affiliated APT29 linkage and recommended enabling AADGraphActivityLogs, hunting for Azure CLI and other first-party Microsoft app IDs, and tightening Conditional Access around vulnerable Microsoft apps.

    Show sources