ConsentFix is a browser-based phishing attack that steals a user's cloud account without requiring their password or MFA. The attack works by abusing a legitimate part of the OAuth consent flow.
How the ConsentFix Attack Works
- The user lands on the attacker's site, typically via a Google search ad or poisoned SEO result.
- The page asks the user to authenticate using their Microsoft or Google account. It opens a legitimate OAuth authentication flow.
- The user authenticates normally and is redirected to a URL containing an authorisation code in the query parameters, tied to their identity.
- The user is then instructed to copy that URL and paste it back into the attacker's site.
- Using the URL, the attacker extracts the authorisation code and exchanges it for a valid OAuth access token. The victim's account is now compromised.
Why Traditional Security Misses It
Email gateways never see it, the attack arrives through a browser, not an inbox. EDR sees only a legitimate OAuth consent flow. The attack originates through SEO poisoning and malvertisement, leaving no malicious payload to detect.
The Behavioural Signal That Gives It Away
ConsentFix has a precise behavioural fingerprint. No legitimate application ever instructs you to copy an OAuth authorisation URL from your address bar and paste it back into a page. That instruction alone regardless of how convincing the page looks — is the attack.
How to Prevent It in Practice
Teach employees that no legitimate application ever asks you to copy an authentication URL from your address bar and paste it back into a page. That instruction alone is the attack. Monitor browser telemetry, not just network logs and email. Treat any page that opens a sign-in window and then asks for input back as suspicious by default.
Fortulio specifically monitors behavioural signals at the browser layer in real time. When a page opens an OAuth flow and a user pastes an authorisation URL back into the page, Fortulio detects the pattern and intervenes before the token is exchanged, because no legitimate application ever asks you to do that.