Security

ClickFix Attacks Are on the Rise — Here's What Your Organization Needs to Know

Imagine this scenario: An employee visits a familiar-looking website and sees a security warning. The message looks professional — maybe it's styled like a Microsoft alert, a Google verification, or a CAPTCHA. It tells them to click a button and paste a short command to “fix the problem.”

They follow the instructions. Within seconds, attackers have access to their machine, their credentials, and potentially your entire network.

This is ClickFix — and it's one of the most dangerous social engineering techniques in use today.

ClickFix attacks surged up to 517% in 2025, and cybersecurity researchers expect them to remain one of the primary methods attackers use to break into organizations throughout 2026. What makes them so effective isn't technical sophistication — it's psychological manipulation.

What Exactly Is a ClickFix Attack?

ClickFix is a social engineering technique where a user is tricked into copying and pasting a malicious command into their own computer — whether that's the Windows Run dialog, PowerShell, a terminal window, or even a browser address bar.

The attacker doesn't need to exploit software vulnerabilities. They don't need to bypass your firewall. They simply need your employee to believe that what they're doing is normal and helpful.

Common lures include:

  • Fake CAPTCHA pages that instruct users to press Win+R and paste a “verification code”
  • Fake browser error messages saying the page can't load until a “fix” is applied
  • Impersonation of trusted platforms like Microsoft 365, Google, or DocuSign
  • Fake security alerts from what appears to be your IT department

Once the command runs, attackers typically deploy info-stealers (like Lumma Stealer), Remote Access Trojans (RATs), ransomware droppers, or credential harvesters — often using legitimate system tools like PowerShell, finger.exe, or nslookup to stay under the radar.

Why Traditional Defenses Fall Short

Most endpoint security tools are built to detect malicious files or known exploits. ClickFix sidesteps both. Because the user is the one executing the command — and because attackers frequently leverage legitimate Windows utilities — traditional antivirus and even many EDR solutions don't flag the activity until it's too late.

Microsoft's threat intelligence data found ClickFix accounted for nearly 47% of all initial access intrusions in recent reporting periods. And in phishing simulations run in early 2026, even Microsoft-branded ClickFix lures produced interaction rates above 23% — meaning nearly 1 in 4 people engaged with the attack page. Prevention-only defenses simply aren't enough.

What You Can Do: A Layered Defense Strategy

Defending against ClickFix requires controls at multiple levels simultaneously. Here's what we recommend:

1. Harden the Endpoint

  • Disable the Windows Run dialog via Group Policy — this removes one of the most common execution entry points
  • Implement PowerShell Constrained Language Mode (CLM) — this limits what PowerShell scripts can do, even if one is pasted and executed
  • Block high-risk native binaries from executing in ways consistent with ClickFix payloads (mshta.exe, wscript.exe, cscript.exe)
  • Enable command-line logging via Sysmon (Event ID 1) or Windows Event ID 4688 so you can detect suspicious execution chains

2. Lock Down the Browser

  • Enforce a browser extension allowlist via managed Chrome or Edge policies — block all extensions by default, and require approval for any new ones
  • Enable DNS filtering to block access to known malicious domains and newly registered sites commonly used in campaigns
  • Configure session timeout policies to limit the damage from any stolen authentication tokens

3. Strengthen Detection

  • Tune your EDR for ClickFix-specific behavioral patterns: browser or explorer.exe spawning PowerShell or cmd with encoded/obfuscated arguments, LOLBin chains, or clipboard-sourced commands
  • Look for attackers performing environment checks (querying domain membership, installed security tools) — this behavior is a detectable signal in your logs even when the lure changes
  • Monitor for unusual parent-child process relationships, especially browsers launching scripting engines

4. Train Your People — The Right Way

Generic phishing awareness doesn't protect against ClickFix. The attack is specifically designed to look like a legitimate technical interaction, not a suspicious email link.

What works:

  • Scenario-specific simulations that replicate fake CAPTCHA and fake error page lures
  • Teaching one clear, memorable rule: Never paste a command from a web page into any dialog box, terminal, or address bar — no matter how official it looks
  • Encouraging employees to verify with IT before following any online “fix” instructions

The data tells an uncomfortable story here. Even after ClickFix has received widespread coverage in the security community, simulations show users continue to fall for contextually convincing lures. Training needs to be specific, repeated, and scenario-based — not a once-a-year checkbox exercise.

Emerging Variants to Watch

Attackers are constantly evolving ClickFix to stay ahead of defenses. In early 2026, researchers documented new variants including:

  • DNS-based staging using nslookup to retrieve payloads through DNS responses — bypassing PowerShell-focused blocks
  • Windows Terminal (wt.exe) campaigns delivering Lumma Stealer via hex-encoded commands
  • Malicious Chrome extension installs that display fake security warnings rather than relying on the Run dialog
  • macOS AppleScript URI variants — even after Apple added mitigations in March 2026, attackers found workarounds within weeks
  • Compromised legitimate websites (especially WordPress) used as delivery infrastructure, making URL-based blocking less reliable

The takeaway: no single control is permanent. Layered defenses and ongoing monitoring are essential.

The One Rule Every Employee Should Know

If we could put a single sign above every workstation in every office we support, it would say this:

Never paste a command from a web page into any dialog box, terminal, or address bar — no matter how official the page looks.

Not from a CAPTCHA. Not from a browser error. Not from a Microsoft or Google security alert. Not from an email link. Not from a helpful-looking IT popup. If a website is asking you to press Win+R and paste something, it is always an attack. There is no legitimate reason a web page ever needs you to do that.

Say it to your team. Put it on a sticky note by their monitor. Repeat it in every security refresher.


Sources: Recorded Future Insikt Group, Trend Micro, Cloud Range, Revel8 Threat Research, Microsoft Threat Intelligence.

Worried your organization is exposed to ClickFix?

Etoc IT offers a free security posture review focused on ClickFix-specific defenses — Group Policy, EDR detection coverage, browser policies, and employee resilience. No pressure, no obligation.

Request a Free Security Review
Or schedule a call directly →
E

Etoc IT
Locally owned IT support for small businesses in Bardstown, Nelson County, and surrounding Central Kentucky.