Two separate techniques show how attackers are leaning on user trust - one through a promoted macOS lure, the other through browser-based Microsoft 365 token abuse.
ConsentFix and ClickFix show how a fake prompt and an OAuth flow can turn Microsoft 365 identity controls into a fast-moving token theft problem.
A fast-evolving phishing technique exposes the cracks in OAuth security-and the urgent need for new detection strategies.
A new attack dubbed "ConsentFix" lets cybercriminals bypass trusted Microsoft authentication-and snatch the keys to the cloud.
A new social engineering scheme lets attackers seize Microsoft accounts without ever asking for your password-or triggering security warnings.