Tendvane

← All articles

SecurityJuly 10, 2026

The scam that steals your Microsoft account without a password or malware: ConsentFix

Security researchers spent early July 2026 warning about a clever new attack called ConsentFix. What makes it alarming is what it doesn't need: it takes over a Microsoft 365 account without you typing a password, without installing any malware, and without tripping your two-factor authentication. Reports describe the account being handed over in as little as three seconds.

Here's the move it relies on. You get an email - often with a link hosted on a trusted service like Dropbox - that leads to what looks like a normal Microsoft sign-in page. To "finish signing in," it asks you to drag a link into your browser's address bar (or copy and paste it there). That link quietly hands the attacker your active session token - the digital pass that proves you're already logged in - so they walk straight into your email, OneDrive and files without ever needing your password or your 2FA code.

The rule that keeps you safe: a real sign-in never asks you to drag, copy, or paste a link into your address bar to "complete" it - just as a real update never asks you to paste a command into Run (the related ClickFix scam). If a page asks you to, close the tab. It's also worth signing in at account.microsoft.com and, under Security, reviewing which apps have access to your account - remove anything you don't recognise, and change your password if you think you were caught.

ConsentFix works by tricking you, so no app can fully block it - knowing the one giveaway is the real defence. But Tendvane's Privacy & accounts check shows how your sign-in accounts are set up so you can spot anything out of place, and if a scam link led to something being installed, its Safety check surfaces unexpected startup programs and browser extensions.

Sources

Download Tendvane