3 seconds
to surrender OAuth tokens via ConsentFix - no password or MFA code required
$350M
in AI-enabled deepfake fraud losses in Q2 2025 alone - Resemble.ai 2026 report
0
passwords captured - ConsentFix takes full M365 access via OAuth token theft alone
$30-$200/mo
dark LLM subscription cost enabling AI-generated ConsentFix campaigns at scale

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

ConsentFix v3 is stealing full Microsoft 365 access from enterprise users without capturing a single password or triggering an MFA prompt, and AI-generated campaign automation now enables individual criminal operators to run the ConsentFix Microsoft 365 MFA bypass at nation-state scale for as little as $30 per month. APT29, the Russian SVR hacking unit responsible for the 2020 SolarWinds supply chain attack, weaponized the technique in late 2025 to target government and enterprise Microsoft tenants. By March 2026, a complete deployment guide with working code, Pipedream infrastructure screenshots, and video tutorials appeared on a Russian cybercrime forum, dropping the technical barrier from nation-state capability to any criminal operator willing to pay a dark LLM subscription fee.

ConsentFix exploits Microsoft's OAuth 2.0 authorization code flow. Victims receive phishing messages delivered through trusted platforms including Dropbox and DocSend to bypass enterprise email security filters. The messages display what appears to be a legitimate Microsoft 365 sign-in prompt. After authenticating normally and satisfying any MFA requirement, the victim is instructed to drag a localhost callback URL into the browser address bar to "complete" the sign-in step. That action surrenders the OAuth authorization code to an attacker-controlled Pipedream webhook, which immediately exchanges the code for access and refresh tokens. No password changes hands. No additional MFA dialog appears. Full Microsoft 365 session access transfers in approximately 3 seconds.

Malwarebytes documented on July 3, 2026 that threat actors are now pairing ConsentFix with AI-generated sponsored ads on X impersonating legitimate macOS software. Mac users receive the Atomic Stealer infostealer via ClickFix terminal injection. Windows enterprise users encounter the ConsentFix OAuth theft flow. ConsentFix v3 adds AI-driven automation for persona creation, spear-phishing email crafting tailored to LinkedIn profiles, and automated campaign delivery management that runs without manual operator involvement. This is AI weaponized against Microsoft 365 at industrial scale.

How Does ConsentFix Bypass Microsoft 365 MFA?

ConsentFix bypasses Microsoft 365 MFA by targeting the OAuth authorization code issued after a legitimate, fully-authenticated session rather than attacking the login process itself. MFA verifies identity at sign-in. ConsentFix operates post-authentication, after MFA has already completed successfully, hijacking the tokens that verified session produces.

The attack exploits the Family of Client IDs (FOCI) feature in Microsoft Entra ID. FOCI allows trusted first-party Microsoft applications to share refresh tokens across the application family without requiring fresh authentication for each service. The abused applications include Azure CLI, Azure PowerShell, Microsoft Authentication Broker, Teams, Outlook, SharePoint, OneDrive, and Microsoft Graph PowerShell. Every standard enterprise Microsoft 365 tenant has these applications in a pre-consented state, meaning no administrator approval is required to use them as token relay points once an authorization code is captured.

When the victim drags the localhost callback URL as instructed by the fake completion prompt, the attacker's infrastructure receives the OAuth authorization code. A Pipedream serverless webhook exchanges it for access and refresh tokens within seconds. Microsoft Entra ID refresh tokens are long-lived. An attacker holding a valid refresh token maintains persistent access to email, Teams, OneDrive, SharePoint, and Microsoft Graph API for weeks after initial compromise until an administrator explicitly revokes the session.

Standard Conditional Access policies requiring compliant devices are insufficient on their own. ConsentFix uses the victim's own corporate device during the authentication step, which satisfies device compliance checks before the token capture occurs. The attacker's subsequent use of the stolen token from a different IP address is the primary behavioral signal available for detection. Microsoft Entra ID Token Protection policies, currently in public preview, bind access tokens to the originating device session and represent the most effective technical control available against captured token reuse.

AI Weaponization: How Attackers Deploy ConsentFix at Scale

The AI component of ConsentFix v3 makes mass deployment operationally viable for criminal groups that previously lacked the technical capacity to run targeted identity phishing campaigns. ConsentFix v3 includes modules for AI-driven persona creation generating convincing sender identities from social media data, automated spear-phishing email drafting tailored to the victim's LinkedIn role and employer, and campaign management infrastructure that tracks delivery rates, click rates, and successful token captures without manual operator involvement.

Dark LLMs power the content generation layer. These are self-hosted AI models exceeding 80 billion parameters, available through criminal subscription services priced between $30 and $200 per month, with an estimated 1,000 or more active criminal subscribers in 2026 according to Group-IB research. Dark LLMs operate without content filters or abuse reporting mechanisms. A subscriber generates unlimited phishing lures, persona backstories, and pretextual email threads at a quality level that removes the grammar errors and awkward phrasing that security-aware employees previously used to identify phishing.

Cloudflare Workers and Pipedream serverless platforms route token capture and exchange operations through legitimate cloud infrastructure. ConsentFix operators do not run dedicated criminal servers that appear in threat intelligence feeds. The attack infrastructure blends with normal Microsoft cloud API traffic, making network-layer detection substantially harder than for campaigns that host malicious content on attacker-controlled domains.

AI-generated X ads funnel additional victims into the attack chain. The July 3, 2026 campaign used sponsored posts from a verified X account to impersonate a legitimate macOS application, redirecting clicks to a lookalike domain at dynamicmacisland[.]com. Mac users received Atomic Stealer via ClickFix terminal command injection. Windows enterprise users were redirected to a ConsentFix token theft flow. Both attack branches executed through a single AI-generated advertising campaign that cost the attacker no more than a standard social media ad buy.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

APT29 to Criminal Forums: The Threat Actor Behind ConsentFix

APT29 is a Russian Foreign Intelligence Service (SVR) hacking unit also designated Cozy Bear and Midnight Blizzard. APT29 is responsible for the 2020 SolarWinds supply chain attack, the 2023 Microsoft corporate email breach, and persistent credential-theft campaigns against NATO governments and diplomatic institutions. The group weaponized the ConsentFix technique for initial access in targeted campaigns against government and enterprise Microsoft tenants in late 2025, reflecting its ongoing shift from vulnerability exploitation toward identity-based attacks that produce durable access with a lower detection footprint.

ConsentFix became accessible to criminal operators through its March 2026 publication on a prominent Russian cybercrime forum. The guide included working code, Pipedream and Cloudflare Workers configuration instructions, LinkedIn-based target profiling methodology, and a video tutorial demonstrating the complete attack chain from phishing email delivery to successful token capture and session access. This publication reduced the technical barrier from APT29-level development resources to any criminal group willing to read a forum post and purchase a dark LLM subscription.

The July 3, 2026 campaign documented by Malwarebytes demonstrates the speed at which APT29 techniques become criminal tools. What APT29 weaponized for government espionage in late 2025 was available as a deployable attack kit by March 2026 and was running in paid social media advertising campaigns by July. The agentjacking attack against Sentry MCP followed the same pattern: sophisticated AI-driven attack techniques developed by advanced actors become commoditized criminal tools within one to two quarters of initial deployment.

By early March 2026, a detailed ConsentFix walkthrough had been posted to a public Russian cybercrime forum, including working code, infrastructure screenshots, and a video tutorial showing exactly how to build and deploy the attack.

BleepingComputer, July 2026

Confirmed AI Attack Damage: Real-World Impact in 2026

The AI-weaponized attack ecosystem delivering ConsentFix is producing documented financial damage at scale. The Arup CFO deepfake incident established the single-interaction damage ceiling: live AI-generated video convincing employees on a Zoom call they were speaking with legitimate company executives resulted in a $25 million wire transfer authorization. Resemble.ai's 2026 fraud intelligence report documents $350 million in deepfake-enabled fraud losses in Q2 2025 alone, concentrated in finance, insurance, and technology sectors.

Cloudflare's 2026 threat report documents attackers using AI to identify high-value data locations within target environments, enabling compromise of hundreds of corporate tenants through a single supply chain attack vector. AI reconnaissance reduced the analysis time required to identify exfiltration targets from days to hours, accelerating post-compromise data staging significantly. Cloudflare researchers also confirmed North Korea specifically exploits deepfake-based infiltration, placing AI-generated fake personas within organizations as remote employees to access administrative and financial systems.

The Sophos AI ransomware lab research documented AI generating EDR evasion payloads that bypassed endpoint protection on managed devices. ConsentFix applies AI-driven content generation to the social engineering layer rather than the malware layer, which means endpoint defenses trained to detect malicious executables provide zero protection against a successful ConsentFix token capture. An organization can have fully patched endpoints, deployed EDR, enforced MFA, and enabled DLP and still lose Microsoft 365 access to ConsentFix because the attack operates entirely within legitimate authentication flows.

Detecting ConsentFix in Microsoft Entra ID and M365 Audit Logs

ConsentFix produces specific behavioral signals in Microsoft Entra ID sign-in logs and Microsoft 365 unified audit logs. Security teams with Entra ID Premium P2 or Microsoft Sentinel can build detection rules targeting the OAuth patterns ConsentFix generates.

The primary detection signature targets OAuth2:Authorize requests with Redirect status against the deprecated Windows Azure Active Directory resource identifier 00000002-0000-0000-c000-000000000000, combined with subsequent FOCI application activity accessing Microsoft Graph from IP addresses outside the victim's established geolocation. This combination identifies authorization code capture followed by attacker-side token exchange in a different geographic location.

Secondary detection signals include OAuth authorization code exchanges from IP addresses not associated with the victim's active browser session; access and refresh token usage from geolocations inconsistent with the user's normal working pattern; Pipedream or Cloudflare Workers serverless domains appearing in OAuth redirect URI fields; and bulk mailbox access or OneDrive enumeration via Microsoft Graph API calls immediately following a new OAuth consent grant.

In Microsoft 365 Defender, enable the Identity Threat Protection risky sign-in policy and configure alerts for impossible-travel events combined with new OAuth app grant activity. Review Entra ID non-interactive sign-in logs, which capture token refresh activity not visible in the interactive sign-in report, specifically for token reuse from unexpected source IP addresses.

Conduct a one-time OAuth consent grant audit using the Microsoft 365 activity explorer filtered to the OAuthConsent event type. Revoke any consent grant your team did not explicitly authorize. Block the ClickFix delivery domain dynamicmacisland[.]com at DNS and web proxy layers. Repeat the consent audit monthly while ConsentFix campaigns remain active.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Stop ConsentFix Microsoft 365 MFA Bypass: Defensive Controls

Closing the ConsentFix Microsoft 365 MFA bypass requires simultaneous changes to Entra ID OAuth settings, Conditional Access configuration, and user awareness training. No single control is complete on its own.

Disabling user OAuth consent removes the mechanism ConsentFix exploits to issue tokens without administrator knowledge. Navigate to Entra ID > Enterprise Applications > Consent and Permissions > User Consent Settings and set the policy to "Do not allow user consent." This requires administrator approval for any OAuth application token grant before tokens can be issued, including ConsentFix delivery infrastructure.

Service Principal restrictions on FOCI-eligible first-party apps reduce the token sharing surface. Configure Conditional Access policies for Azure CLI, Azure PowerShell, Microsoft Authentication Broker, and Microsoft Graph PowerShell requiring device compliance, sign-in risk score thresholds, and named location verification. These policies do not stop token capture but flag the attacker's subsequent token reuse from an unfamiliar location.

Microsoft Entra ID Token Protection in public preview binds access tokens to the originating device session. An attacker who captures a token from a different device or IP address finds the token operationally useless in an environment with Token Protection enforced.

User training must specifically address the localhost callback URL drag mechanic. Standard phishing awareness that focuses on suspicious email links does not address ConsentFix delivery. Employees who understand that no legitimate Microsoft service will ever ask them to drag a URL from a web page into the browser address bar will break the ConsentFix attack chain at the social engineering step before any token is captured.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why ConsentFix Microsoft 365 MFA Bypass Matters for Your Organization

Microsoft 365 is the productivity platform for an estimated 400 million commercial users worldwide. ConsentFix targets every one of them. The technique requires no vulnerability in Microsoft's code, no specific misconfiguration, and no compromised endpoint. Any enterprise user who authenticates to Microsoft 365 in a browser and encounters a ConsentFix delivery page faces the same risk regardless of device management status, patch level, or MFA enrollment.

The security assumption that MFA stops credential phishing is invalid for OAuth-based attacks. ConsentFix exploits that assumption at scale. Security teams that deployed MFA as their primary defense against Microsoft 365 account takeover have an open gap. A ConsentFix compromise generates no failed authentication events, no MFA rejection logs, and no password change indicators that standard security monitoring would alert on. The signals are in OAuth audit logs that most organizations do not actively monitor.

The industrialization pathway from APT29 nation-state technique in late 2025 to criminal subscription toolkit available on cybercrime forums by March 2026, and deployed via AI-generated paid social media advertising by July 2026, reflects what AI does to the threat landscape. Technical sophistication requiring government-level resources becomes a dark LLM prompt and a $200 monthly subscription. Organizations that benchmark their defenses against the 2024 threat model have a structural gap against AI-weaponized identity attacks deployed in 2026.

The three controls that close the ConsentFix gap cost nothing beyond configuration and training time: disable user OAuth consent, enable token protection, and add the drag-mechanic to security awareness programs. Leaving them unaddressed means MFA provides false confidence against an attack that does not need to defeat MFA at all.

The bottom line

ConsentFix v3 gives attackers full Microsoft 365 access without a password, without triggering MFA, and without planting malware on any endpoint. APT29 weaponized the technique in late 2025; a complete toolkit with AI campaign automation appeared on Russian cybercrime forums by March 2026; AI-generated X ads drove victims into the attack chain as of July 3, 2026. Disable user OAuth consent in Entra ID, enable Token Protection policies in preview, and update security awareness programs to include the localhost callback drag mechanic. These three controls close the gap ConsentFix exploits. Leaving them unaddressed means MFA provides false confidence against identity attacks that operate entirely within legitimate authentication flows.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is ConsentFix?

ConsentFix is an AI-assisted OAuth consent phishing toolkit that hijacks Microsoft 365 accounts by tricking authenticated users into surrendering OAuth authorization codes through fake sign-in prompts. The attacker's backend automatically exchanges the captured code for persistent access and refresh tokens using serverless infrastructure. The attack requires no password theft and bypasses multi-factor authentication because it occurs after a legitimate successful sign-in rather than during the authentication process itself.

How does ConsentFix bypass MFA?

ConsentFix targets the OAuth authorization code issued after MFA has already completed successfully. MFA verifies identity at sign-in time. ConsentFix operates post-authentication, capturing the token the verified session produces by tricking the user into dragging a localhost callback URL into their browser. The MFA step is never bypassed technically. Instead, ConsentFix waits until after MFA succeeds and then hijacks the resulting session token. Defenders have no failed MFA events to alert on.

Which Microsoft 365 applications does ConsentFix abuse?

ConsentFix abuses trusted first-party Microsoft applications in the Family of Client IDs (FOCI) group that are pre-consented in standard enterprise tenants, including Azure CLI, Azure PowerShell, Microsoft Authentication Broker, Teams, Outlook, SharePoint, OneDrive, and Microsoft Graph PowerShell. Because these apps are pre-approved, an attacker who captures an authorization code for any one of them can access all Microsoft 365 services the victim has permissions to use without triggering additional consent dialogs.

How do I detect ConsentFix activity in Entra ID?

Monitor Entra ID sign-in logs for OAuth2:Authorize requests with Redirect status against the Windows Azure AD resource identifier 00000002-0000-0000-c000-000000000000. Alert on FOCI application token usage from IP addresses outside the user's established geolocation. Flag Pipedream or Cloudflare Workers domains appearing in OAuth redirect URI fields. Enable Entra ID risky sign-in alerts combined with new OAuth consent grant activity. Review non-interactive sign-in logs monthly for token refresh from unexpected source IPs.

What should I do immediately if ConsentFix compromises a Microsoft 365 account?

Revoke all OAuth sessions using Revoke-AzureADUserAllRefreshToken in PowerShell or the Entra ID admin portal. Reset the account password immediately. Audit delegated email access, Microsoft Graph API permissions, and OAuth consent grants for any new entries added after the initial compromise timestamp. Review inbox rules, email forwarding configurations, and Teams application integrations created since that date. Determine whether email, SharePoint files, or OneDrive content was accessed via Graph API during the attacker's session window.

Is ConsentFix the same as ClickFix?

No. ClickFix tricks users into pasting malicious commands into a terminal or run dialog by presenting fake CAPTCHA or error pages. ConsentFix uses a similar social engineering delivery mechanic but targets Microsoft 365 OAuth flows rather than local command execution. ClickFix installs malware on the victim's device. ConsentFix produces account takeover with no malware on any endpoint. The July 3, 2026 campaign documented by Malwarebytes used both techniques simultaneously: Mac users received the Atomic Stealer infostealer via ClickFix, while Windows enterprise users faced ConsentFix OAuth token theft.

Can Conditional Access policies stop ConsentFix?

Standard device-compliance Conditional Access policies are insufficient alone. ConsentFix completes the authentication step on the victim's own compliant corporate device, satisfying device compliance checks before token capture occurs. Token Protection policies that bind access tokens to the originating device session are more effective. Enabling Entra ID Token Protection and configuring sign-in risk policies to flag impossible-travel events on token reuse are the most effective technical controls against ConsentFix.

What role does AI play in ConsentFix v3 attacks?

ConsentFix v3 uses AI for campaign automation including persona generation, spear-phishing email drafting tailored to victim LinkedIn profiles, and delivery tracking. Dark LLMs priced at $30 to $200 per month generate grammatically correct phishing lures at scale without content filters. The July 3, 2026 X advertising campaign used AI-generated creative assets impersonating legitimate macOS software through a verified account. AI reduces campaign setup from weeks of manual social engineering research to hours of automated target profiling.

Sources & references

  1. BleepingComputer: ConsentFix and ClickFix - How Microsoft 365 Accounts are Hijacked in 3 Seconds
  2. Malwarebytes: Verified X Ad Spreads Mac Malware While ConsentFix Steals Microsoft Accounts
  3. Rescana: ConsentFix v3 - Automated OAuth Abuse Targets Microsoft Azure and Entra ID
  4. Group-IB: From Deepfakes to Dark LLMs - How AI Is Powering Cybercrime
  5. Cloudflare / Infosecurity Magazine: AI and Deepfakes Supercharge Sophisticated Cyber-Attacks

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.