The Hacker’s 2026 Playbook from the Dark Web
The article details two evolving social engineering techniques: ClickFix, which tricks users into pasting and executing attacker-supplied PowerShell commands via fake prompts, and ConsentFix, which abuses Microsoft 365 OAuth consent flows by manipulating users into dragging a localhost callback link into the browser to capture session tokens. A complete ConsentFix playbook with working code was publicly shared on a Russian cybercrime forum, enabling widespread adoption. Both techniques bypass traditional security controls by exploiting user muscle memory and legitimate platform infrastructure.
- domainsecurity-updater[.]comPhishing domain shown in the article image used as part of the ConsentFix OAuth token theft flow, spoofing Microsoft Entra branding to trick users into dragging a localauth callback link into a drop zone.
Detection / Hunteropenrouter
What Happened
Cybercriminals have developed new tricks that fool people into accidentally giving away access to their accounts. One method, called ConsentFix, targets Microsoft 365 users by making them drag a link into their browser during what looks like a normal sign-in process, which secretly hands over access tokens to the attacker. Another method, called ClickFix, tricks people into pressing keyboard shortcuts that silently run malicious commands on their computer. A step-by-step guide for ConsentFix was publicly posted on a criminal forum, making it easy for more attackers to copy. Anyone using Microsoft 365 or Windows computers should be cautious of unusual sign-in prompts or requests to press keyboard shortcuts, and organizations should monitor for suspicious activity on employee accounts and devices.
Key Takeaways
- ConsentFix abuses Microsoft 365 OAuth consent flows by tricking users into dragging a localhost callback link into the browser, capturing session tokens that bypass MFA and passwords entirely.
- A full ConsentFix playbook with working code, infrastructure screenshots, and video walkthrough was publicly posted on a Russian cybercrime forum by early March 2026, lowering the barrier to entry for attackers.
- Attackers leverage legitimate platforms (Cloudflare Pages, workers.dev, Pipedream webhooks, Dropbox, DocSend) for infrastructure and use LinkedIn, ZoomInfo, and Hunter.io for target reconnaissance.
- ClickFix remains active and tricks users into pressing Win+R, Ctrl+V, Enter to paste and execute attacker-supplied PowerShell commands via fake CAPTCHA-style prompts.
- Detection requires visibility into suspicious PowerShell activity originating from browser processes and unusual Microsoft 365 session activity from atypical locations.
Affected Systems
- Microsoft 365 (Exchange Online, OneDrive, Teams)
- Microsoft Entra ID (formerly Azure AD)
- Windows endpoints (ClickFix PowerShell execution)
Attack Chain
Attackers first conduct target reconnaissance using LinkedIn employer profiles, ZoomInfo, and Hunter.io to map victims and tailor lures. A phishing lure is sent, often leveraging trusted platforms like Dropbox or DocSend, sometimes password-protected to evade security inspection. For ConsentFix, the victim is directed to a fake Microsoft sign-in page (e.g., security-updater.com) and instructed to drag a localhost callback link containing a 'localauth' redirect URL from the browser address bar into a drop zone, which captures OAuth session tokens. For ClickFix, the victim is shown a fake prompt instructing them to press Win+R, Ctrl+V, Enter, which pastes and executes attacker-supplied PowerShell commands. In both cases, the attacker gains access without needing passwords or bypassing MFA through traditional credential theft.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide any detection rules, queries, or signatures. It describes behavioral indicators such as suspicious PowerShell activity from user processes and unusual Microsoft 365 session activity from atypical locations, but does not include formal detection logic.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect ClickFix-related PowerShell execution spawned from browser processes, but ConsentFix operates largely within the browser and OAuth token layer, which may not generate traditional process-based telemetry. Browser-based drag-and-drop actions are unlikely to be captured by most EDR solutions. Network Visibility: Low — Attackers abuse legitimate platforms (Cloudflare Pages, workers.dev, Dropbox, DocSend, Pipedream) for infrastructure, making network-level detection difficult since traffic blends in with normal user activity to trusted services. Detection Difficulty: Hard — Both techniques are designed to blend into normal user workflows and leverage legitimate platforms. ConsentFix token theft occurs within the browser and OAuth layer, producing minimal endpoint artifacts. ClickFix PowerShell execution is more detectable but still relies on user-initiated actions that may appear semi-legitimate.
Required Log Sources
- Microsoft 365 audit logs (OAuth consent grants, sign-in activity)
- Microsoft Entra ID sign-in logs and conditional access logs
- EDR process telemetry (browser-spawned PowerShell)
- Web proxy or DNS logs for phishing domain resolution
- Cloud app security / CASB logs for anomalous OAuth app activity
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for PowerShell or command-line execution spawned directly by browser processes, which may indicate ClickFix-style social engineering leading to code execution. | EDR process telemetry showing browser process as parent of powershell.exe or cmd.exe | Execution | Medium — some legitimate browser extensions or enterprise tools may spawn child processes from browser contexts. |
| Consider hunting for new OAuth consent grants in Microsoft 365/Entra ID that were initiated from unusual IP addresses or geographies, which may indicate ConsentFix token capture. | Microsoft Entra ID audit logs for OAuth app consent grants and sign-in logs with geo-IP correlation | Credential Access | Medium — legitimate OAuth consent flows are common; correlation with unusual locations or new app registrations reduces false positives. |
| Consider hunting for Microsoft 365 session activity where the initial authentication originated from a different geography or IP range than the user's typical pattern, indicating possible session token replay. | Microsoft 365 sign-in logs and Unified Audit Log for mailbox, OneDrive, or Teams access from anomalous locations | Defense Evasion / Persistence | Low to Medium — travel and VPN use can generate anomalies, but sudden access from never-before-seen regions warrants investigation. |
| Consider hunting for DNS resolution of domains mimicking Microsoft or security update branding, which may indicate ConsentFix or ClickFix phishing infrastructure. | DNS logs, web proxy logs, or ZTNA logs showing resolution of suspicious domains containing terms like 'security-updater' or 'localauth' | Initial Access | Low — domains combining security-related terms with non-Microsoft TLDs are rare in legitimate use. |
Control Gaps
- Traditional email security and AV may not inspect password-protected phishing lures delivered via Dropbox or DocSend.
- MFA does not prevent ConsentFix attacks because the attacker captures the session token after authentication, not the credentials.
- Network security controls may not flag traffic to legitimate platforms (Cloudflare Pages, workers.dev, Pipedream) even when used for malicious infrastructure.
- Browser-based drag-and-drop actions are not typically logged or monitored by EDR or SIEM solutions.
Key Behavioral Indicators
- Browser process (e.g., chrome.exe, msedge.exe) spawning powershell.exe or cmd.exe as a child process
- New OAuth consent grants in Entra ID for unfamiliar applications or from unusual locations
- Microsoft 365 session activity originating from IP addresses or geographies inconsistent with the user's historical baseline
- Phishing pages instructing users to drag an address bar icon or press Win+R keyboard shortcuts
- DNS queries for domains combining security-related terms with non-Microsoft infrastructure
False Positive Assessment
- Medium — ClickFix detections based on browser-to-PowerShell process ancestry may generate false positives from legitimate browser extensions or enterprise tools. ConsentFix detections based on OAuth consent grants will require correlation with geography and application reputation to reduce noise from legitimate consent flows.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider reviewing recent Microsoft 365 OAuth consent grants in Entra ID for any suspicious or unfamiliar applications.
- Consider blocking the phishing domain security-updater.com at web proxy, DNS, or firewall layers if your infrastructure supports domain-based filtering.
- If your EDR supports it, consider creating detection rules for PowerShell or cmd.exe processes spawned by browser processes, which may indicate ClickFix activity.
- Consider reviewing Microsoft 365 audit logs for sign-in events from unusual geographies or IP ranges in the past 30 days.
Infrastructure Hardening
- Evaluate whether your Entra ID configuration can restrict OAuth consent grants to pre-approved applications only, reducing the risk of ConsentFix-style token theft.
- Consider implementing conditional access policies that restrict Microsoft 365 access from untrusted or anomalous locations.
- If supported by your email security platform, consider enabling enhanced scanning for password-protected attachments or links delivered via Dropbox and DocSend.
- Consider implementing session timeout policies for Microsoft 365 to limit the window of opportunity for stolen session tokens.
User Protection
- Consider deploying browser security extensions that warn users about suspicious drag-and-drop interactions or clipboard manipulation.
- If your EDR supports script blocking or constrained PowerShell, consider enabling policies that prevent PowerShell execution originating from browser processes.
- Evaluate whether your organization can implement FIDO2 hardware security keys, which provide stronger phishing resistance than software-based MFA for Microsoft 365.
Security Awareness
- Consider adding ClickFix and ConsentFix scenarios to existing security awareness training, emphasizing that legitimate Microsoft sign-in flows will never ask users to drag a link or press Win+R.
- Consider training users to be suspicious of any website instructing them to press keyboard shortcuts or drag elements from the address bar.
- Consider reinforcing the message that password-protected documents shared via Dropbox or DocSend from unknown senders warrant extra scrutiny.
- Consider encouraging users to report any unusual sign-in prompts or authentication flows through your organization's existing reporting channels.
MITRE ATT&CK Mapping
- T1566.002 - Spearphishing Link
- T1528 - Steal Application Access Token
- T1185 - Browser Session Hijacking
- T1059.001 - PowerShell
- T1204.002 - User Execution: Malicious File
- T1592.002 - Gather Victim Host Information: Software
- T1589.002 - Gather Victim Identity Information: Email Addresses
Additional IOCs
- Command Lines:
- Purpose: ClickFix technique instructs users to open Run dialog and paste attacker-supplied commands via keyboard shortcuts | Tools:
powershell.exe,cmd.exe| Stage: Initial execution via social engineering
- Purpose: ClickFix technique instructs users to open Run dialog and paste attacker-supplied commands via keyboard shortcuts | Tools: