Microsoft fixed an Outlook bug as researchers reveal sophisticated attacks bypassing multi-factor authentication through fake prompts.
Microsoft recently addressed a technical issue affecting Outlook users where the Copilot AI assistant buttons were unexpectedly disappearing from the email interface. The company has now deployed a fix to restore these features for users who rely on the AI writing and summarization tools built into their email client.
While this bug fix addresses a user experience problem, security researchers have simultaneously uncovered a more troubling issue: attackers are using sophisticated social engineering schemes to steal sensitive access credentials from Microsoft 365 subscribers.
Security experts have identified two related attack methods called ConsentFix and ClickFix. Think of these like digital con artists posing as trusted assistants. Here's how they work in simple terms:
Attackers create fake dialog boxes and prompts that look almost identical to legitimate Microsoft authorization screens. When unsuspecting users see these convincing fakes, they click "approve" just as they would for a real service. However, instead of enabling a helpful feature, they're actually handing over authentication tokens—digital keys that give hackers full access to email, files, and other sensitive data stored in Microsoft 365 accounts.
The concerning part? These attacks are reportedly bypassing multi-factor authentication (MFA), the extra security layer that asks you to verify your identity through a second method, like a phone confirmation. This means even users who thought they had strong protection may still be vulnerable.
If an attacker gains access to your Microsoft 365 tokens, they essentially become you in the digital world. They can:
For businesses, this represents a serious breach risk. A single compromised account could expose customer data, financial records, or strategic plans. Organizations using Microsoft 365 for daily operations need to treat this threat seriously.
You don't need to panic, but you should take action. Here's what security experts recommend:
Microsoft is likely developing additional protections against these OAuth-based attacks. In the meantime, the responsibility falls on individual users to stay vigilant and organizations to educate their teams about these threats.
The lesson here is simple: authorization requests should never be clicked reflexively, even if they look official.
Want to understand the technology behind this story? ITVedas has beginner-friendly guides on every IT topic.
Explore IT Chapters →