An ad for Claude Code looks like it belongs on Google.
In the digital commons where millions scroll and click without suspicion, a new class of malware has learned to move faster than human doubt. ConsentFix and ClickFix exploit not a flaw in code, but a flaw in trust — the quiet assumption that an ad on a familiar platform is safe to follow. By disguising themselves as legitimate tools and slipping through the consent dialogs people have been trained to accept, these threats remind us that the most dangerous vulnerabilities are often the ones we've built into our habits, not our software.
- Microsoft 365 accounts are being fully compromised in approximately three seconds — less time than it takes to question whether a permission prompt seems unusual.
- Attackers are purchasing sponsored ad placements on X and Google, impersonating trusted tools like Claude Code to funnel unsuspecting users toward malware downloads.
- The threat is not contained to one ecosystem: MacSync Stealer is simultaneously targeting macOS users and draining cryptocurrency wallets, specifically those held in Ledger hardware wallets.
- The attack's power comes from exploiting the trust users extend to major ad platforms — sponsored content feels native, legitimate, and safe in a way that a phishing email no longer does.
- Security researchers are urging users and organizations to scrutinize consent prompts, verify ad destinations before clicking, and treat any unexpected permission request as a potential intrusion — because once the malware lands, there is almost no time to recover.
A new generation of malware is outpacing human reaction. ConsentFix and ClickFix, two related threats currently circulating in the wild, can seize control of a Microsoft 365 account in roughly three seconds. But the speed is almost secondary to the method: these attacks arrive not through suspicious emails or obscure websites, but through sponsored advertisements on X and Google — the same channels people encounter every day without a second thought.
ConsentFix targets Microsoft 365 users by corrupting the familiar consent prompt, the permission dialog that appears when an app requests access to an account. The malware engineers a deceptive version of that flow, one that feels routine enough that users grant access before recognizing the danger. Email, files, and the full contents of a Microsoft account can be in an attacker's hands before the click has finished registering.
The campaign reaches beyond Microsoft's ecosystem. A related strain called MacSync Stealer spreads through the same fake Claude Code advertisements on Google, this time aimed at macOS users and cryptocurrency holders. Ledger wallet users are a specific target, reflecting a layered strategy: different payloads for different audiences, all delivered through the same trusted-looking surface.
What gives this campaign its unusual reach is the trust people extend to advertising platforms themselves. A sponsored ad for a real and popular tool doesn't trigger the same skepticism as an unsolicited email. Attackers are exploiting that gap deliberately, operating in plain sight through legitimate infrastructure. Security researchers describe this as part of a broader 2026 shift toward paid advertising as a malware distribution channel — cheaper, more effective, and harder to defend against than traditional methods. With attacks resolving in seconds, prevention is the only meaningful line of defense.
A new class of malware is moving faster than most people can react. ConsentFix and ClickFix—two related threats circulating in the wild—can compromise a Microsoft 365 account in roughly three seconds, according to security researchers tracking the campaign. The speed is almost beside the point. What matters is how they're getting in: through ads that look legitimate, placed on platforms where millions of people scroll every day.
The distribution method is the real innovation here. Threat actors are buying sponsored ad placements on X, the platform formerly known as Twitter, and running fake advertisements for popular tools like Claude Code on Google. When someone clicks, they don't land on the real product. Instead, they download malware. The ConsentFix variant specifically targets Microsoft 365 users by exploiting the way consent prompts work—those permission dialogs that appear when an application requests access to your account. Rather than asking for permission in the normal way, the malware tricks users into granting access through a deceptive flow that feels almost routine. By the time someone realizes what happened, the attacker already has the keys to their email, files, and everything else stored in their Microsoft account.
The threat extends beyond Microsoft's ecosystem. A related malware family called MacSync Stealer is targeting macOS users through the same fake Claude Code advertisements on Google. Once installed, it doesn't just steal credentials—it actively compromises cryptocurrency wallets, specifically targeting Ledger wallet holders. The sophistication lies in the layered approach: attackers aren't just going after one type of user or one type of asset. They're casting a wide net, using trusted brand names and legitimate-looking ad placements to reach different audiences with different payloads.
What makes this campaign particularly effective is its reliance on the trust people place in advertising platforms themselves. Google and X have built massive businesses on the premise that their ad networks are reasonably safe. Most users don't scrutinize sponsored content the way they might scrutinize a random email from an unknown sender. An ad for Claude Code, a real and popular tool, feels like it belongs there. The malware operators are exploiting that assumption. They're not trying to be clever or hide in the shadows—they're operating in plain sight, using the same distribution channels that legitimate businesses use every day.
Security researchers are flagging the campaign as part of a broader shift in attacker tactics for 2026. Rather than relying on phishing emails or compromised websites, threat actors are increasingly turning to paid advertising on mainstream platforms. It's cheaper than it sounds, more effective than traditional methods, and harder to defend against because the infrastructure—the ad network itself—is trusted. Organizations and individual users are being advised to watch for suspicious consent prompts, verify that ads are actually linking to the real product or service they claim to represent, and treat any unexpected permission request with skepticism, even if it appears to come from a known brand. The speed at which these attacks work means there's little margin for error once the malware is installed. Prevention, in this case, is genuinely the only reliable defense.
Citações Notáveis
Security researchers flagged the campaign as part of a broader shift in attacker tactics for 2026, with threat actors increasingly turning to paid advertising on mainstream platforms rather than traditional phishing methods.— Security researchers tracking the campaign
A Conversa do Hearth Outra perspectiva sobre a história
How does ConsentFix actually work? What makes three seconds fast enough to compromise an entire account?
It exploits the consent flow that Microsoft 365 uses. Instead of a normal permission dialog, the malware presents a fake one that looks legitimate. The user clicks yes, thinking they're granting access to something routine, and the attacker gets OAuth tokens or credentials that let them into the account. Three seconds is just how long the whole interaction takes.
But wouldn't people notice something was wrong?
Not necessarily. The dialog looks real. It's designed to feel like a normal part of using the application. By the time someone realizes they clicked something they shouldn't have, the attacker is already in.
Why are they using ads on X and Google instead of traditional phishing?
Because ads are trusted. People don't scrutinize sponsored content the way they scrutinize random emails. An ad for Claude Code looks like it belongs on Google. It's also scalable—they can reach thousands of people at once without having to craft individual emails.
What's the connection between the Microsoft 365 attacks and the MacSync Stealer targeting Ledger wallets?
They're part of the same campaign, using the same distribution method. The attackers aren't specializing in one target. They're using different malware payloads for different victims depending on what they find valuable. Microsoft 365 credentials, cryptocurrency wallets—it's all money to them.
How do you defend against something that moves this fast?
You can't really defend after the fact. The attack is over before you know it happened. The only real defense is prevention—being skeptical of ads, verifying they link to the real product, and treating any unexpected permission request as suspicious, even if it looks legitimate.