On July 3, 2026, Malwarebytes documented two active campaigns that turn digital trust into an attack surface. Verified accounts on X serve ads leading to Mac malware installed via Terminal commands; simultaneously, a technique dubbed ConsentFix steals Microsoft 365 OAuth tokens in roughly three seconds, bypassing passwords and multi-factor authentication. Both techniques exploit user intentionality as the primary vulnerability.
- A verified X account hosted ads redirecting to the lookalike domain dynamicmacisland[.]com to distribute Atomic Stealer variants on macOS.
- Victims were instructed to open Terminal and paste commands that silently installed the malware, turning the user into an unwitting installer.
- ConsentFix steals Microsoft 365 OAuth tokens through a seemingly legitimate consent flow that requires only dragging a localhost link into the browser.
- By March 2026, a detailed ConsentFix tutorial with working code, screenshots, and LinkedIn profiling techniques was already available on a public Russian cybercrime forum.
How ClickFix Exploits X Verification to Target Macs
The ClickFix campaign identified by Malwarebytes impersonates an application called "DynamicLake," presented as a macOS utility that mimics Apple's Dynamic Island functionality. The domain dynamicmacisland[.]com replicates the look of a legitimate site and hosts instructions guiding the user toward self-infection.
The mechanism is deliberately counter to traditional malware. Instead of automatic exploits or disguised malicious files, the attack requires seemingly innocuous actions: open Terminal, copy a command, paste it, and press Enter. These steps, executed by the user, bypass macOS's automatic protections and silently install Atomic Stealer variants, an infostealer already known in the threat landscape.
The use of a verified X account as an advertising vehicle is the detail that flips the security paradigm. The blue badge, designed to guarantee authenticity, becomes a credibility guarantee for a compromise chain. The source does not specify whether the account was suspended or identified.
ConsentFix: When the User Becomes the Identity Provider
ConsentFix represents a qualitative evolution over ClickFix. According to Malwarebytes, "where ClickFix turns you into the installer, ConsentFix turns you into the identity provider." The technique requires no malware execution; the entire compromise occurs within the normal OAuth authentication flow.
The documented mechanism involves a victim following a phishing link often hosted on trusted platforms like Dropbox or DocSend with password protection, then being instructed to complete an apparently legitimate process by dragging a localhost callback link into the browser. That drag-and-drop gesture unwittingly hands session tokens to the attacker.
The result is full access to email and Microsoft 365 services without a password and without completing multi-factor authentication. As quoted by Malwarebytes: "It can start with something as mundane as dragging a link into your browser. Three seconds later, a threat actor has the tokens needed to take over your Microsoft 365 account, and you never did anything that traditional security awareness training would flag."
"Three seconds later, a threat actor has the tokens needed to take over your Microsoft 365 account, and you never did anything that traditional security awareness training would flag."
From Russian Forum to Commoditization: Proliferation Is Underway
The spread of ConsentFix is not limited to sophisticated operators. By March 2026, according to BleepingComputer, a detailed tutorial had already been published on a public Russian cybercrime forum. The material included working code, infrastructure screenshots, demo videos, and LinkedIn profiling techniques to map organizations and personalize lures against real people.
This level of documentation signals ongoing commoditization. When a technique that bypasses MFA is explained step-by-step with multimedia on accessible forums, the barrier to entry for less-skilled threat actors drops drastically. The source does not specify whether the tutorial is the original source or a repost.
Why This Matters
The dossier does not document specific mitigations released by Microsoft or other vendors to counter ConsentFix. The brief does not specify whether variants of the technique exist for OAuth providers beyond Microsoft 365. The exact number of victims or the scale of the X ad campaign also does not emerge.
What the source makes clear is the structural limit of traditional defenses. When the attack feeds on legitimate actions — a verified ad, a browser drag-and-drop, a seemingly standard OAuth consent — technical perimeters and conventional awareness lose effectiveness. Trust in the process itself becomes the compromise vector.
The brief also does not report whether Malwarebytes directly analyzed Atomic Stealer samples or relied on third-party reports, nor does it provide the specific identity of the verified X account used in the ClickFix campaign.
The Takeaway: Intentionality as a Zero-Day Vulnerability
What makes these campaigns relevant beyond the individual compromise is the architectural principle they share. Both exploit "user intentionality" — the human capacity to intend an action and carry it out knowingly — as if it were a software vulnerability. There is no exploit to patch, no bug to fix: there is a trust flow that the attacker mimics and diverts.
The paradox is that platforms have built entire verification ecosystems precisely to solve this problem, and now that same infrastructure is recycled as an authenticity guarantee for the threat. The X blue badge, the Microsoft OAuth flow, the browser drag-and-drop: they are legitimate primitives that, combined in sequence, produce illegitimate effects. Separating the two — legitimate use from malicious use — becomes increasingly difficult for automated systems and users alike.
Sources
- https://www.malwarebytes.com/blog/news/2026/07/verified-x-ad-spreads-mac-malware-while-consentfix-steals-microsoft-accounts
- https://support.apple.com/guide/iphone/view-live-activities-in-the-dynamic-island-iph28f50d10d/ios
- https://www.bleepingcomputer.com/news/security/consentfix-and-clickfix-how-microsoft-365-accounts-are-hijacked-in-3-seconds/
Information is based on the cited source and current as of publication.