ConsentFix is a browser-based phishing attack that steals a user's cloud account without requiring their password or MFA. The attack works by abusing a legitimate part of the OAuth consent flow.

How the ConsentFix Attack Works

ConsentFix attack flow diagram

Why Traditional Security Misses It

Email gateways never see it, the attack arrives through a browser, not an inbox. EDR sees only a legitimate OAuth consent flow. The attack originates through SEO poisoning and malvertisement, leaving no malicious payload to detect.

The Behavioural Signal That Gives It Away

ConsentFix has a precise behavioural fingerprint. No legitimate application ever instructs you to copy an OAuth authorisation URL from your address bar and paste it back into a page. That instruction alone regardless of how convincing the page looks — is the attack.

How to Prevent It in Practice

Teach employees that no legitimate application ever asks you to copy an authentication URL from your address bar and paste it back into a page. That instruction alone is the attack. Monitor browser telemetry, not just network logs and email. Treat any page that opens a sign-in window and then asks for input back as suspicious by default.

Fortulio specifically monitors behavioural signals at the browser layer in real time. When a page opens an OAuth flow and a user pastes an authorisation URL back into the page, Fortulio detects the pattern and intervenes before the token is exchanged, because no legitimate application ever asks you to do that.

Consentfix Block