In December 2025, Push Security disclosed ConsentFix, a new "browser-native" social-engineering technique that blends ClickFix-style user prompts with OAuth authorization abuse, allowing attackers to take over accounts without stealing passwords or MFA codes.
The Core Problem
What is ConsentFix?
ConsentFix is a phishing technique that targets Microsoft Entra ID OAuth flows. Rather than collecting a password, it tricks a user into providing an OAuth authorization code (or equivalent "redeemable" authorization material), which the attacker can exchange for access and refresh tokens—then operate as the user programmatically across Microsoft 365 and Azure.
ConsentFix Attack Flow
User Hits Lure Page
Delivered via compromised sites or malvertising
Legitimate Microsoft Flow
Real Entra OAuth authorization journey initiated
Copy/Paste Coercion
User copies URL with authorization material
Token Redemption
Attacker redeems for access/refresh tokens
It's Microsoft-Targeted by Design
Why Microsoft Is the Prime Target
Why Traditional Controls Fail
Why Traditional Controls Fail
Strong MFA & Passkeys
ConsentFix sidesteps credential theft by abusing authorization and token issuance
User Training
Focuses on 'don't type passwords in weird pages' – but ConsentFix uses real Microsoft pages
Email Security
ConsentFix lures can arrive via compromised sites or ads, not just email
How SecureAuth Prevents ConsentFix
SecureAuth Continuous Authority Model
Continuous Verification
Access decisions made continuously based on real-time context
Policy-Gated Scopes
User can't grant what policy won't allow
Developer Subscription Controls
Apps can't self-attach to powerful consents
Continuous Authority
With Continuous Authority, access decisions are made continuously based on real-time context. Even if an attacker arrives holding a "legitimate-looking" token, they still must match the continuous policy and risk posture required at the moment of access.
Scope & Consent Governance
SecureAuth stops ConsentFix at the exact point where it needs to "cross the chasm" from authentication to portable authority:
Policy-Gated Scope Grants
- Only pre-approved clients may receive sensitive scopes (deny unknown/untrusted apps by default)
- Only specific user populations may grant certain scopes (e.g., admins vs. general workforce)
- Only under safe context (managed device, known network, normal geo/ASN, low risk) can a grant proceed
- Step-up controls at consent time (or hard deny) when the request doesn't match expected patterns
Ready to transform your identity security?
See how SecureAuth's Continuous Authority platform can protect your organization.
About SecureAuth
SecureAuth provides identity and access management solutions that enable enterprises to implement customized, resilient authentication infrastructure. Through Continuous Authority, flexible deployment options, and deep composable capabilities, SecureAuth helps organizations defend against modern identity threats while maintaining usability and operational efficiency.