TempMail Ninja
//

Social Engineering Attacks Surge: ClickFix and ConsentFix Threats

6 min read
TempMail Ninja
Social Engineering Attacks Surge: ClickFix and ConsentFix Threats

The enterprise threat landscape is witnessing a profound shift in cybercriminal tradecraft. Traditional malware campaigns, which historically relied on exploiting unpatched software vulnerabilities, are increasingly taking a backseat to highly structured, browser-native social engineering attacks. Rather than fighting against robust operating system defenses, modern threat actors now target the ultimate execution engine: the user. By manipulating human trust and exploiting standard administrative workflows, cybercriminals are successfully bypassing multi-factor authentication (MFA) and built-in system protections across both macOS and Microsoft 365 environments.

This paradigm shift is perfectly illustrated by two concurrent campaigns peaking across the digital threat landscape. The first, a macOS-centric operation known as “ClickFix,” weaponizes paid social media advertising to bypass Apple’s rigorous Gatekeeper security. The second, a cloud-native campaign dubbed “ConsentFix,” targets Microsoft Entra ID tenants by abusing legitimate OAuth 2.0 authorization flows. Both threats highlight how modern attackers exploit the implicit trust embedded in verified platforms and enterprise integrations to establish persistent access and execute high-impact data exfiltration.

The macOS ClickFix Surge: Weaponizing Sponsored X Ads and Evading Gatekeeper

For years, macOS users operated under a false sense of security, believing that Apple’s native defensive suite was nearly impenetrable to automated web threats. However, the ClickFix campaign demonstrates how easily these defenses can be bypassed when attackers exploit user-driven execution. The campaign begins on X (formerly Twitter), where threat actors hijack verified corporate accounts with substantial follower bases to run highly targeted, sponsored advertisements. This approach exploits X’s paid advertising infrastructure to bypass automated ad screening while instantly establishing a high degree of credibility with potential victims.

The Anatomy of the “DynamicLake” Lure

The sponsored ads promote a fake version of “DynamicLake,” a popular and legitimate utility designed to bring a functional “Dynamic Island” to MacBook screen notches. When an unsuspecting user clicks the sponsored ad, they are redirected to a lookalike domain—dynamicmacisland[.]com—which meticulously mimics the design of the legitimate software publisher. Rather than offering a standard application download, the site presents a classic “ClickFix” prompt. It informs the user that a local error has occurred and instructs them to copy a pre-packaged command to their clipboard, open the macOS Terminal utility, and paste the code to initiate a “manual installation”.

The Technical Security Bypass: Evading Apple’s Gatekeeper

This workflow-based interaction is a deliberate evasion technique designed to sidestep Apple’s Gatekeeper security framework. When a user downloads a standard application bundle (such as a .dmg or .pkg file) through a web browser, macOS automatically appends a com.apple.quarantine extended attribute to the file. This attribute triggers Gatekeeper to verify the application’s code-signing and cryptographic notarization before allowing it to execute.

However, when a user manually opens the Terminal app and executes a pasted shell command (frequently leveraging native utilities like curl, zsh, or osascript), the operating system treats the execution as an intentional, native command-line action initiated by an authorized administrator. Because there is no application bundle to evaluate, Gatekeeper does not trigger. The malicious script executes silently with the active user’s permissions, running a script-based loader that fetches and installs high-impact info-stealing malware, including:

  • Atomic Stealer (AMOS / MacSync): A highly active macOS info-stealer designed to sweep local directories for sensitive assets.
  • DigitStealer: A specialized payload targeting browser credentials and localized databases.

Once deployed, these malware variants immediately exfiltrate Apple Keychain credentials, browser cookies, active session tokens, iCloud files, and local cryptocurrency wallet private keys directly to attacker-controlled command-and-control (C2) servers.

ConsentFix: The Next-Gen Threat in Social Engineering Attacks Against Microsoft 365

While the macOS campaign targets local endpoints, the parallel “ConsentFix” (or AuthCodeFix) campaign focuses on securing persistent access to enterprise cloud environments. Unlike traditional credential-harvesting phishing operations that attempt to steal usernames and passwords, ConsentFix relies on browser-native interactions to hijack OAuth 2.0 authorization codes. Because the entire authentication process occurs on legitimate Microsoft infrastructure, this technique completely bypasses multi-factor authentication (MFA) prompts and conditional access policies without triggering traditional security alerts.

Abusing Pre-Consented First-Party Applications

The brilliance of the ConsentFix attack lies in its exploitation of Microsoft’s pre-consented first-party applications. By default, every Microsoft Entra ID tenant has pre-approved authorization for core development and administration tools. These applications include:

  1. Microsoft Azure CLI (Application ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46)
  2. Azure PowerShell (Application ID: 1950a258-227b-4e31-a9cf-717495945fc2)
  3. Visual Studio (Application ID: 04f0c124-f2bc-4f59-8241-bf6df9866bbd)

Because these applications are globally pre-consented, any user in an organization can authenticate to them without requiring administrative approval. Attackers exploit this behavior by crafting a malicious sign-in URL that points directly to the official Microsoft Entra ID login portal, but configures the request to authorize one of these trusted first-party apps.

The Localhost Error and the Social Engineering Trap

When the victim clicks a malicious search result or compromised link, they are redirected to the authentic Microsoft login page. Because the page is legitimate, the user completes the login flow, including any required MFA challenges. Under a normal OAuth 2.0 authorization code flow for native applications, Microsoft’s authorization server redirects the browser to a local loopback address (such as http://localhost:[port]) to pass the temporary authorization code to the locally running CLI tool.

In the context of the ConsentFix attack, however, there is no legitimate CLI tool running on the victim’s device to receive the redirect. Consequently, the browser displays a standard network error page (e.g., “This site can’t be reached”). Crucially, the sensitive authorization code remains visible in the browser’s address bar as part of the redirect URL parameter (e.g., ?code=M.R3_...).

The campaign then deploys a specialized “ClickFix” social engineering prompt. A browser-native pop-up appears, claiming that a “synchronization error” has occurred. The user is instructed to copy the entire URL from the address bar and paste or drag-and-drop it into the troubleshooting field on the attacker’s landing page to “fix” the connection. Once the victim complies, the attacker’s backend infrastructure immediately intercepts the authorization code and exchanges it for a valid OAuth access token and refresh token.

Silent Persistence via the Family of Client IDs (FOCI)

By capturing the OAuth tokens, the attacker achieves complete, silent compromise. Because the user successfully completed the MFA challenge during the initial sign-in, the newly generated tokens are fully authorized and bypass all subsequent MFA prompts and password changes. Furthermore, the attacker exploits a design pattern within the Microsoft ecosystem known as the Family of Client IDs (FOCI).

Under the FOCI architecture, first-party Microsoft applications belong to a single “family”. A refresh token issued for one FOCI application (such as the Azure CLI) can be used silently to request access tokens for other members of the family—such as SharePoint Online, Microsoft Teams, and Exchange Online—without forcing the user to re-authenticate. This allows cybercriminals to navigate laterally across the victim’s cloud environment and maintain persistent, undetected access for up to 90 days.

Mitigating the Dual Threat: Hardening macOS and Cloud Identity

Defending against these advanced, user-driven campaigns requires a multi-layered security strategy that goes beyond basic employee awareness training. Security teams must implement aggressive technical controls to disrupt the attack chain at both the endpoint and cloud identity levels.

Hardening the macOS Endpoint

To defend against terminal-based ClickFix campaigns, organizations should adopt

TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.