ConsentFix browser-native OAuth consent phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The ConsentFix campaign is a ClickFix-style OAuth consent phishing operation that hijacks Microsoft accounts by abusing the Azure CLI OAuth app. In the reported flow, victims land on a compromised legitimate website, pass a fake Cloudflare Turnstile check, and are guided to complete a Microsoft sign-in flow that yields an OAuth authorization code. Attackers then exchange that code for account access, bypassing the need for a password or MFA. The activity was described by Push Security and includes filtering for intended targets, with defenders advised to monitor unusual Azure CLI logins and legacy Graph scopes.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Infostealer malware operation targeting online store users
Malware Activity
First: 21.05.2026 00:36
Last: 21.05.2026 00:36
Sources 1
About this happening:
A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Infostealer malware operation targeting online store users
Malware ActivityAbout this happening: A **malware operation** using **infostealer** tools infected users’ devices between **2024 and 2025**, stealing browser sessions and account credentials that enabled account theft...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Timeline
-
14.01.2026 17:01 3 articles · 4mo ago
ConsentFix public debrief and campaign recap
Initial DisclosurePush Security described ConsentFix, a browser-native OAuth consent phishing campaign that used ClickFix-style social engineering to hijack Microsoft accounts, ran across a large network of compromised websites, and was detected across multiple customer estates; the disclosure also noted a Russian state-affiliated APT29 linkage and recommended enabling AADGraphActivityLogs, hunting for Azure CLI and other first-party Microsoft app IDs, and tightening Conditional Access around vulnerable Microsoft apps.
Show sources
- ConsentFix debrief: Insights from the new OAuth phishing attack — www.bleepingcomputer.com — 14.01.2026 17:01
- ConsentFix debrief: Insights from the new OAuth phishing attack — www.bleepingcomputer.com — 14.01.2026 17:01
- New ConsentFix attack hijacks Microsoft accounts via Azure CLI — www.bleepingcomputer.com — 11.12.2025 17:10