ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds
BleepingComputer reports a novel attack vector targeting Microsoft 365 accounts, dubbed ConsentFix and ClickFix. The technique allows attackers to hijack accounts in as little as three seconds by exploiting OAuth consent phishing. The attack tricks users into granting permissions to malicious applications, thereby giving attackers access to the victim's account and data. The report highlights the speed and simplicity of the attack, emphasizing the risk to Microsoft 365 users.
// why it matters
Developers must be aware of OAuth consent phishing risks to prevent rapid account takeovers.