
ConsentFix: Fast Token Theft Targets Microsoft 365 Sign-Ins
A new attack variant called ConsentFix hijacks Microsoft 365 OAuth sign‑in flows by tricking users into dragging a localhost callback link, stealing OAuth tokens and granting attackers ongoing access to email and other services without passwords or MFA. Attackers use trusted phishing lures, map targets via LinkedIn, and publicly share the blueprint, lowering the bar for criminals. Defenses require more than awareness—look for abnormal PowerShell activity, unusual logins, and strengthen endpoint/identity monitoring to detect session/token theft before damage occurs.













