The Three-Second Handoff You Didn't Know You Made

You clicked a link. A Microsoft login screen appeared. You typed your username and password — or maybe you didn't, because you were already logged in. Then a prompt showed up asking if you'd like to grant access to "Microsoft Document Collaboration Tool" or "Office Productivity Suite." The logo looked right. The domain said microsoft.com. You clicked Yes because you click Yes to these prompts every single week. Three seconds later, someone on the other side of the world had full access to your email, files, calendar, and contacts. They didn't guess your password. They didn't bypass your multi-factor authentication. You handed them the keys because the door looked exactly like every other door Microsoft has trained you to walk through.

The Permission Scam That Feels Like Normal Business

Here's what actually happened. That prompt wasn't asking if you wanted to use a tool — it was asking if you'd give a stranger's app permission to act on your behalf inside your Microsoft 365 account. This is called an OAuth consent flow, and it's the same system that lets you click "Sign in with Google" on random websites without giving them your password. It's designed to make life easier. It works by creating a token — a temporary key that grants access without requiring credentials again. The problem is that once you say yes, the app gets that key. And if the app is controlled by an attacker, so do they.

ConsentFix and ClickFix are the names researchers gave to the two attack methods spreading right now. ConsentFix tricks you into granting consent to a malicious app that looks legitimate. ClickFix makes you think you're fixing a technical problem — maybe a video won't load, or a document says it's corrupted — and the "fix" is actually a script that registers the attacker's app and grants it access behind the scenes. Both attacks abuse the same truth: Microsoft built a system that assumes you can tell the difference between a real request and a fake one. You can't. Nobody can. The prompts look identical.

What makes this worse is that these tokens often come with admin-level permissions. The attacker doesn't just read your email — they can send email as you, access SharePoint sites you're part of, join Teams meetings, edit files, even create new users if your role allows it. And because they're using a token that you authorized, it doesn't look like a breach. It looks like you're working late.

Why Fixing This Became Microsoft's Job (And Why They Haven't)

OAuth consent flows used to be an enterprise IT problem. In 2019, attackers started using them at scale, and Microsoft responded by adding admin controls that let companies restrict which apps could request consent. But those controls are off by default, and most organizations either don't know they exist or don't turn them on because it breaks too many workflows. Employees need to connect third-party tools. Sales uses Zoom. Marketing uses Canva. Finance uses DocuSign. Every app wants OAuth consent. Blocking them all isn't realistic, so companies leave the door open — and attackers walk through it wearing a badge that says "Productivity Tool."

The other thing that changed: phishing kits. You used to need technical skill to build a fake consent page and handle the OAuth tokens. Now you can buy a prebuilt ClickFix or ConsentFix kit on Telegram for $200. The kit includes templates, hosting, and instructions written for people who've never written code. Attackers are running these at scale, targeting thousands of users a day. The success rate is high because the attack doesn't look like an attack. It looks like Microsoft asking you to do something Microsoft asks you to do constantly.

And here's the part nobody's saying out loud: Microsoft benefits from OAuth being frictionless. The easier it is to connect apps, the stickier the Microsoft 365 platform becomes. Tightening consent flows would make the product harder to use, slow down adoption of the app marketplace, and generate support tickets. So the default remains permissive. The risk stays with you.

What You Can Actually Do About It Right Now

1. Audit what already has access. Go to myapps.microsoft.com, click on your profile, and look at the list of apps with permissions to your account. Revoke anything you don't recognize or haven't used in six months. Do this today. Then do it again in a month.

2. Stop clicking Yes on consent prompts unless you initiated the action. If you didn't go looking for an app, don't grant it access. If a link or email led you to a consent screen, close it. Go directly to the real app or service and start the process yourself.

3. Watch for "fix" prompts that aren't really fixes. If a website says you need to run a script, copy a command, or approve access to view a document, stop. That's ClickFix. Real document errors don't ask for OAuth permissions.

4. If you're in a company with IT support, ask if "user consent" is disabled for third-party apps. This is a setting that forces all OAuth requests to go through an admin approval process. It's not perfect, but it stops attacks that rely on tricking individual users.

5. Check your Microsoft 365 sign-in logs. Go to your account security settings and look at recent activity. If you see logins from places you've never been or apps you don't use, revoke access immediately and reset your password — even though password reset won't stop an OAuth token that's already been issued.

Have you ever clicked "allow" on a prompt you didn't fully understand just to get work done?

Identity Decoded publishes every week at identity-decoded.com

Reply

Avatar

or to participate

Keep Reading