OAuth Consent Hijacking (ConsentFix & ClickFix) Enables 3‑Second Microsoft 365 Account Takeover
What Happened — Attackers manipulate Microsoft 365 OAuth consent flows (ConsentFix) or inject fake keyboard‑shortcut prompts (ClickFix) to steal OAuth tokens in as little as three seconds. No password or MFA is entered; the victim merely follows a seemingly legitimate workflow, handing the attacker a valid session token.
Why It Matters for Compliance & Audit Readiness
- Demonstrates a gap in SOC 2 Access Control criteria where token‑based sessions are not treated as credential assets that must be monitored and revoked.
- Highlights the need for continuous evidence of MFA enforcement, conditional‑access policies, and user‑awareness controls that can be audited as part of a SOC 2 readiness program.
Who Is Affected — SaaS providers, enterprise IT departments, and any organization that relies on Microsoft 365 for email, collaboration, and data storage (primarily TECH_SAAS and FIN_SERV sectors).
Recommended Actions
- Enforce MFA and Conditional Access for all OAuth consent flows.
- Deploy real‑time monitoring of token issuance and anomalous token usage.
- Update security awareness training to cover OAuth consent‑flow phishing and “drag‑and‑drop” token‑theft techniques.
- Implement automated token revocation and audit‑ready logging of consent events.
Technical Notes — The attacks exploit user habituation to OAuth consent prompts and keyboard‑shortcut tricks; no software vulnerability (CVE) is required. Tokens granted via the consent flow provide full access to Exchange, SharePoint, Teams, and other M365 services. Source: BleepingComputer