Podcast Summary: Risky Bulletin – Push Security on ConsentFix Attacks
Host: Kathleen Campano (A), Risky Business
Guest: Luke Jennings (B), VP of Research and Development at Push Security
Release Date: January 26, 2026
Episode Overview
In this episode, Kathleen Campano interviews Luke Jennings from Push Security to discuss "ConsentFix"—a newly identified, sophisticated browser-based identity attack. The conversation explores what makes ConsentFix different from traditional phishing techniques, the mechanics and scale of the attack, how attackers evade detection, why users are susceptible, and the broader implications for browser security and identity-based threats.
Key Discussion Points & Insights
1. Introduction to ConsentFix Attacks
- Push Security's Focus: Push develops a browser extension for threat detection and response, focusing on browser-based attacks as more enterprise work moves to web apps.
- Early Detection: Push observed and researched the ConsentFix attack before it was widely reported, leading to their public warning and analysis.
2. What is ConsentFix? (01:06)
- Attack Mechanism:
- Compromised legitimate sites display a fake Cloudflare turnstile (CAPTCHA-like) requiring an email entry.
- Based on the email, users are selectively targeted.
- Those targeted are directed (by video instructions) to interact with a legitimate Microsoft login page in a way that unknowingly authorizes the attacker’s app (Azure CLI).
- The user, following instructions, copies and pastes URLs/tokens, ultimately passing OAuth tokens to the attacker.
- Critical Impact: The attacker gains access to the victim’s Microsoft account as that user, bypassing all authentication (including passkeys).
- Quote:
“It was a pure like browser native identity attack that could even bypass passkeys in this case.”
— Luke Jennings (02:38)
3. Scale and Targeting (03:17)
- Attack Spread: Widespread watering hole approach via compromised legitimate websites.
- Selective Targeting: Attackers filter by entered email—attacking only users of interest (by domain or individual).
- Quote:
“It was a really interesting sort of combination, I think, of very widespread, but with some targeting at the filtering stage.”
— Luke Jennings (04:17)
4. Difference from ClickFix Attacks (04:30)
- Traditional ClickFix: Requires users to run code on their endpoint after social engineering.
- ConsentFix: Purely browser-based; end user never runs code or enters a password.
- Quote:
“Consent fix doesn’t touch the endpoint. That’s where it differs from traditional click fix. It’s fully, sort of fully in the browser, fully in the identity world.”
— Luke Jennings (05:32)
5. Detection and Defense (05:44)
- Push Security Approach: Their browser extension flagged the attack due to abnormal Microsoft service use.
- Detection Challenge: Such attacks evade traditional endpoint and network security monitoring.
- Quote:
“Ultimately, there’s very little you can see with traditional solutions there. So us being in the browser then meant we could see all these things occurring.”
— Luke Jennings (06:23)
6. Proliferation and Threat Landscape (06:52)
- Current Status: The attack is not yet broadly copied, but similar OAuth attacks have been seen in targeted phishing.
- Potential for Widespread Exploitation: Attack could be reused with other apps or if incorporated into phishing/criminal kits.
- Quote:
“If it ends up in a criminal kit or in an open source tool, then people will use it more or variate... there are other apps that it could be used with in Microsoft Tool."
— Luke Jennings (07:56)
7. Why ConsentFix Succeeds (08:09)
- Social Engineering Power: ConsentFix manipulates users into doing things that aren’t considered risky (e.g., copying URLs, following instructions).
- User Training Gap: No warnings or training for these types of actions—users see legitimate domains and standard flows.
- Authentication Complexity: Modern identity systems’ complexity creates opportunities for attackers.
- Quote:
“They're not performing actions that ordinary users have even been trained to think are malicious... We've not trained users to think of that as suspicious.”
— Luke Jennings (08:34)
8. Broader Trends in Browser-Based Attacks (09:59)
- Shift Away from Traditional Exploits: Email and endpoint phishing controls are now stronger, causing attackers to pivot to identity and browser-based vectors.
- Browser & Identity as New Weak Points: Attackers exploit identity relationships and SSO—once an identity is compromised, lateral movement is possible without touching infrastructure or endpoints.
- Quote:
“Once you've compromised their identity within their browser, you can then use that to laterally move to loads of other systems as well through SSO mechanisms. And all of this sits outside of what usual monitoring we tend to have in place."
— Luke Jennings (11:17)
Notable Quotes & Memorable Moments
-
On the Attack’s Novelty:
"We realized it was actually a brand new attack technique... that completely circumvents everything as well. Like that even circumvents passkeys if you're using it and the user didn't need to enter a password."
(B, 01:39) -
On Selective Targeting:
"Depending on what email address was entered by the user... it would depend whether it bothered to execute an attack."
(B, 03:39) -
On User Perceptions:
"We haven't trained users to think of that as suspicious. And with consent fix in particular, it was actually on the legitimate Microsoft domain where the code was being copied from."
(B, 08:43) -
On the Broader Threat Environment:
"Ultimately, they hit people through the browser, and they compromise their identities, and they just circumvent most of the controls we take for granted now."
(B, 12:27)
Important Segment Timestamps
- ConsentFix Explainer: 01:06–03:04
- Attack Spread & Targeting: 03:17–04:30
- ConsentFix vs ClickFix: 04:30–05:44
- Push Security's Detection: 05:44–06:52
- Developments & Potential Explosions: 06:52–07:56
- Why Users Fall for These Attacks: 08:09–09:59
- Broader Browser/Identity Threat Trends: 09:59–12:52
Summary & Takeaways
ConsentFix represents a significant evolution in identity-centric attacks, exploiting user trust and browser-based workflows without requiring endpoint compromise or password capture. The attack’s sophistication lies in its use of legitimate flows, selective targeting, and its ability to evade standard security controls. The growing complexity of identity and authentication systems, combined with a lack of user awareness and training for these new attack methods, amplifies the risk. As attackers bypass traditional controls, detection requires visibility at the browser level—highlighting a critical area for enterprise defense moving forward.