Two newly documented social engineering tactics, ConsentFix and ClickFix, allow attackers to seize control of Microsoft 365 accounts in seconds by exploiting the platform's own authentication flows. As reported by BleepingComputer, these methods bypass multi-factor authentication (MFA) not through technical flaws, but by tricking users into granting access themselves.
The core danger is how the attacks weaponize trust in routine prompts. Victims are manipulated into completing the authentication step, effectively neutralizing MFA. Successful attacks yield valid OAuth tokens, providing attackers with persistent, privileged access to the account and its connected data.
The first method, ConsentFix, is a phishing campaign. Attackers send deceptive emails urging users to review a document. The link leads to a convincing fake Microsoft login page. The critical element is a fabricated "Consent" screen that appears post-login, requesting approval for a malicious app often masquerading as a benign tool. Approving this silently grants the attacker's application extensive permissions.
The second tactic, ClickFix, operates within trusted platforms like Microsoft Teams. From a compromised account, an attacker sends a message containing a fake error or urgent task, complete with a "Fix" button. Clicking this button triggers the same malicious OAuth consent flow. By embedding the attack within normal workflow, suspicion is significantly lowered.
"This shifts the security challenge from defending network perimeters to governing identity and access," analysts note. The fundamental vulnerability is human; attackers are not breaching systems but persuading users to hand over the keys.
Defense requires a layered strategy of technical controls and user education. Administrators should implement restrictions within Microsoft Entra ID (formerly Azure AD). Key policies include disabling the ability for users to grant consent to applications that access their data, forcing all such requests through an administrative approval process. This directly blocks the core mechanic of both ConsentFix and ClickFix.
User awareness training must also adapt. Employees need clear guidance to spot the red flags of consent-based phishing: unexpected prompts, requests for broad permissions, and any authentication request triggered by a link in email or chat. The goal is to cultivate robust skepticism toward unsolicited access requests.
As these attacks show, adversaries are increasingly targeting the human layer of security. For IT teams managing cloud-heavy environments, this underscores the critical need for regular reviews and tightening of identity governance policies to safeguard corporate accounts and data.
兩種新近記錄的社會工程攻擊手法——ConsentFix與ClickFix——利用Microsoft 365平台本身的認證流程,能在數秒內奪取賬戶控制權。據BleepingComputer報導,這些方法並非透過技術漏洞繞過多重驗證(MFA),而是誘騙使用者自行授予存取權限。
這類攻擊的核心危險在於其將日常驗證提示武器化。受害者被操縱完成驗證步驟,實質上使MFA失效。成功的攻擊會取得有效的OAuth權杖,讓攻擊者能持續以高權限存取賬戶及關聯資料。
第一種方法「ConsentFix」屬於網絡釣魚攻擊。攻擊者發送欺騙性電郵,催促使用者查看文件。連結會指向偽造的微軟登入頁面。關鍵環節在於登入後出現的偽造「同意」畫面,要求批准某個惡意應用程式的存取權限(該程式通常偽裝為正規工具)。一旦同意,攻擊者的應用程式便會靜默獲得廣泛權限。
第二種手法「ClickFix」則在Microsoft Teams等可信平台上操作。攻擊者透過已入侵的賬戶發送訊息,內容包含偽造的錯誤提示或緊急任務,並附有「修正」按鈕。點擊該按鈕會觸發相同的惡意OAuth同意流程。透過將攻擊嵌入正常工作流程,大幅降低使用者戒心。
分析師指出:「這將安全挑戰從防禦網絡邊界轉移至身分與存取管理。」根本漏洞在於人為因素;攻擊者並非入侵系統,而是說服使用者主動交出存取鑰匙。
防禦需採用技術控管與使用者教育並行的多層策略。管理員應在Microsoft Entra ID(前身為Azure AD)中實施限制,核心政策包括:停用使用者自行同意存取其資料的應用程式之功能,並強制所有此類請求通過行政審批流程。此措施可直接阻斷ConsentFix與ClickFix的核心攻擊機制。
使用者意識培訓亦需與時俱進。員工需明確指引以識別基於同意機制的釣魚特徵:未預期的提示、要求過度權限的請求、以及任何由電郵或通訊軟體連結觸發的驗證要求。目標是培養對未經請求存取要求的強健質疑態度。
如這些攻擊所示,對手正日益針對安全體系中的人為層面。對於管理重度使用雲端環境的IT團隊而言,這凸顯了定期審查及強化身分治理政策的關鍵必要性,以保障企業賬戶與資料安全。
