MalwareBytes

Verified X ad spreads Mac malware, while ConsentFix steals Microsoft accounts


Cybercriminals are finding new ways to trick people into compromising their own devices and accounts. One campaign used a sponsored ad on X to target Mac users, while another technique, dubbed ConsentFix, steals Microsoft 365 accounts without installing malware.

Verified X account used in Mac ClickFix attack

Researchers have discovered a ClickFix-style attack running as a sponsored advertisement on X. The ad was posted from a verified account, adding an extra layer of credibility to the scam.

ClickFix campaigns use convincing lures—historically fake “human verification” screens, and now a fake download for DynamicLake, a legitimate macOS utility that turns your MacBook’s notch into an unofficial but functional version of Apple’s Dynamic Island. This type of attack requires the user to paste a command from the clipboard, making it depend heavily on user interaction.

Image courtesy of Jamf

In reality, people who clicked the link were redirected to the lookalike domain dynamicmacisland[.]com, where they were instructed to open Terminal and paste installation commands that silently installed malware.

The campaign combines three worrying trends: ClickFix-style social engineering using Terminal commands, lookalike domains that mimic trusted Mac apps, and paid advertising infrastructure used to scale attacks to a large audience.

The malware reportedly delivers several variants of the Atomic Stealer infostealer.  

This pattern mirrors previous cases where Google Ads promoted fake software installers, including malicious sponsored listings that delivered malware when users searched for trusted developer tools. The lesson is clear: paid placement and verification badges are no guarantee of safety, especially when attackers deliberately design campaigns to evade automated screening.

The campaign abused X’s advertising platform, with the malicious ad appearing under a verified account. The researchers reported the advertisement to X and contacted the account owner. The ad appears to have since been removed.

ConsentFix steals accounts instead of installing malware

Windows users are also being warned about the next generation of ClickFix attacks, called ConsentFix.

ConsentFix is different because ,where ClickFix turns you into the installer, ConsentFix turns you into the identity provider. Instead of tricking you into running malware, it uses social engineering to get you to hand over your cloud login tokens through the browser without ever asking you to run malware or type your password.

“It can start with something as mundane as dragging a link into your browser. Three seconds later, a threat actor has the tokens needed to take over your Microsoft 365 account, and you never did anything that traditional security awareness training would flag.”

For example, a phishing email may arrive containing a link, often hosted on trusted platforms such as Dropbox. Sometimes it’s protected with a password, which also makes it harder for security tools to inspect.

If the target clicks on the link, they’ll see what looks like a standard Microsoft sign-in page and be asked to complete the process by dragging a localhost callback link into the browser.

How the ConsentFix trap looks
How the ConsentFix trap looks

That’s when the trap closes. Without realizing it, the victim hands over session tokens to the attacker, giving them access to email and other Microsoft 365 services without needing a password or completing multi-factor authentication (MFA).

The method has reportedly been shared on a Russian cybercrime forum, making it easy enough for less experienced cybercriminals to steal Microsoft 365 accounts.

How to stay safe

The best protection is knowing these attacks exist and recognizing what they look like. So keep reading our blog. But there’s more you can do:

  • Don’t trust links that arrive unexpectedly—whether by email, text message, social media, or even through verified accounts or sponsored search results.
  • Think things through before following instructions that seem unusual or that you don’t fully understand.
  • When filling out credentials, always check the address in the browser bar. Is that the one you expected? If not, stop.
  • Use an up-to-date, real-time anti-malware solution with web protection.

Pro tip: Did you know the free Malwarebytes Browser Guard browser extension protects you against malicious websites and ClickFix attacks? It also blocks ads and trackers, so that’s a bonus.


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →



Source link