Skip to content
Chimera readability score 64 out of 100, Academic reading level.

Cybercriminals are finding new ways to trick people into compromising their own devices and accounts. One campaign used a sponsored ad on X to target Mac users, while another technique, dubbed ConsentFix, steals Microsoft 365 accounts without installing malware.
Verified X account used in Mac ClickFix attack
Researchers have discovered a ClickFix-style attack running as a sponsored advertisement on X. The ad was posted from a verified account, adding an extra layer of credibility to the scam.
ClickFix campaigns use convincing lures—historically fake “human verification” screens, and now a fake download for DynamicLake, a legitimate macOS utility that turns your MacBook’s notch into an unofficial but functional version of Apple’s Dynamic Island. This type of attack requires the user to paste a command from the clipboard, making it depend heavily on user interaction.
Image courtesy of Jamf
In reality, people who clicked the link were redirected to the lookalike domain dynamicmacisland[.]com
, where they were instructed to open Terminal and paste installation commands that silently installed malware.
The campaign combines three worrying trends: ClickFix-style social engineering using Terminal commands, lookalike domains that mimic trusted Mac apps, and paid advertising infrastructure used to scale attacks to a large audience.
The malware reportedly delivers several variants of the Atomic Stealer infostealer.
This pattern mirrors previous cases where Google Ads promoted fake software installers, including malicious sponsored listings that delivered malware when users searched for trusted developer tools. The lesson is clear: paid placement and verification badges are no guarantee of safety, especially when attackers deliberately design campaigns to evade automated screening.
The campaign abused X’s advertising platform, with the malicious ad appearing under a verified account. The researchers reported the advertisement to X and contacted the account owner. The ad appears to have since been removed.
ConsentFix steals accounts instead of installing malware
Windows users are also being warned about the next generation of ClickFix attacks, called ConsentFix.
ConsentFix is different because ,where ClickFix turns you into the installer, ConsentFix turns you into the identity provider. Instead of tricking you into running malware, it uses social engineering to get you to hand over your cloud login tokens through the browser without ever asking you to run malware or type your password.
“It can start with something as mundane as dragging a link into your browser. Three seconds later, a threat actor has the tokens needed to take over your Microsoft 365 account, and you never did anything that traditional security awareness training would flag.”
For example, a phishing email may arrive containing a link, often hosted on trusted platforms such as Dropbox. Sometimes it’s protected with a password, which also makes it harder for security tools to inspect.
If the target clicks on the link, they’ll see what looks like a standard Microsoft sign-in page and be asked to complete the process by dragging a localhost callback link into the browser.
That’s when the trap closes. Without realizing it, the victim hands over session tokens to the attacker, giving them access to email and other Microsoft 365 services without needing a password or completing multi-factor authentication (MFA).
The method has reportedly been shared on a Russian cybercrime forum, making it easy enough for less experienced cybercriminals to steal Microsoft 365 accounts.
How to stay safe
The best protection is knowing these attacks exist and recognizing what they look like. So keep reading our blog. But there’s more you can do:
- Don’t trust links that arrive unexpectedly—whether by email, text message, social media, or even through verified accounts or sponsored search results.
- Think things through before following instructions that seem unusual or that you don’t fully understand.
- When filling out credentials, always check the address in the browser bar. Is that the one you expected? If not, stop.
- Use an up-to-date, real-time anti-malware solution with web protection.
Pro tip: Did you know the free Malwarebytes Browser Guard browser extension protects you against malicious websites and ClickFix attacks? It also blocks ads and trackers, so that’s a bonus.
Stop threats before they can do any harm.
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Sentinel — Human

Confidence

This text reads like high-quality security journalism that synthesizes research into actionable warnings, displaying human editorial judgment alongside technical facts.

Signals Detected
low severity: Slight variance in sentence length and a slightly erratic rhythm; the shift between technical description and public warning is handled with a distinct flow.
low severity: Strong cohesive structure linking ClickFix and ConsentFix, but contains specific, un-generalized details (e.g., 'DynamicLake,' specific domain names) that suggest grounded reporting.
low severity: The flow from technical description to public safety advice is smooth, but the transition into the final bulleted list of safety tips feels typical of an informational blog structure rather than pure journalistic reporting.
medium severity: Claims are attributed clearly (e.g., 'Researchers have discovered'), and the content relies on defining known attack patterns, which is typical of synthesized security summaries. However, the specific details about ConsentFix and ClickFix mechanics suggest underlying human research or deep-dive reporting.
Human Indicators
The text successfully balances technical detail with public-facing advice, demonstrating a focus on cognitive sovereignty rather than just data regurgitation.
The specific attribution of findings and the context provided for different attack types point toward human investigative input.