December 17, 2025 Security researchers are warning of a new phishing technique that allows attackers to take over Microsoft accounts without passwords, multi-factor authentication or passkeys. The method, called ConsentFix, tricks users into granting OAuth access through a browser prompt, giving attackers persistent control over the account even when modern protections are enabled.

ConsentFix is an evolution of the ClickFix attack that security teams have been tracking for months. Instead of asking victims to paste commands into Windows system tools, the new technique operates entirely inside the browser. Push Security says the campaign combines OAuth consent phishing with a ClickFix-style prompt, removing many of the warning signs users might recognize.

The attack typically begins on a compromised website surfaced through Google Search. Researchers say most of the domains involved are legitimate, high-reputation sites that have been quietly hijacked, making them difficult to distinguish from normal browsing. Once on the page, users are presented with what appears to be a routine verification or captcha-style task.

Rather than requesting credentials, the page instructs the user to copy and paste a URL. If the victim is already logged into their Microsoft account, that link can contain session-specific authentication material. According to Push Security, no login or MFA challenge is triggered. This means the technique effectively bypasses phishing-resistant authentication, including passkeys.

Check Point researchers say the pasted URL creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance. From that point on, the attacker can access the account as an authorized application, without raising alerts tied to credential theft or suspicious logins.

The shift to OAuth abuse marks a significant escalation. ClickFix relied on users interacting with command-line tools, which raised suspicion for some. ConsentFix removes that friction, keeps the interaction familiar and avoids email entirely by using search results as the delivery mechanism.

“ConsentFix is a dangerous evolution of ClickFix,” Push Security said, noting that the attack eliminates one of the key detection opportunities defenders previously relied on. Because the compromise happens through consent rather than credentials, traditional security controls may not flag it immediately.

Defending against the attack relies less on technical controls and more on user behaviour. Security researchers stress that no legitimate service will ever ask users to copy and paste text or links as part of a verification or security check. Any prompt that does so should be treated as malicious. If encountered, users should close the browser session and restart the system to clear any active sessions.

For organizations relying on Microsoft ecosystems, the growing reality is that MFA alone is no longer a sufficient safety net. OAuth permissions, browser workflows and user awareness are now central to account security, and attackers are clearly adapting faster than most users expect.