Cybercriminals have a new favorite way to spread malice: hijacking your system to infect other computers. They predict that criminals will increasingly deploy a fast-emerging phishing technique known as ClickFix, which tricks victims into essentially becoming their own attackers by copying and running malicious commands. The twist is that the traditional anti-phishing guardrails on which targets might think they can depend rarely catch it, because the user triggers the code execution.
What ClickFix Is and Why This Persuasion Hack Works
ClickFix is a persuasion hack. Rather than ask you to download a file or type in a password, it encourages you to “fix” a faux problem by pasting in a command into Windows Run or the terminal. The prompt could be disguised as an error dialog, a support chat, a CAPTCHA page, or even a job application portal. It takes advantage of a human reflex: whenever something appears to be broken, we rush to repair it, particularly if the fix looks easy and official.
How the ClickFix attack unfolds from lure to payload
The setup frequently begins as a result of a realistic-looking phishing email or message from an organization or partner you trust. Victims are directed to a site that shows an authentic-looking warning or verification process. Some pages quietly hijack clipboard content, so you think you’re copying a support command but are actually copying an attacker’s payload.
Instructions generally involve prompting the user to press Win + R and paste, or open PowerShell and run a snippet. Under the hood, depending on context, this command may actually instantiate PowerShell or mshta.exe to download and run code in memory. This “fileless” approach, by virtue of not dropping obvious binaries, can slither right past defenses primarily tuned to scan attachments and downloads.
Why traditional defenses often overlook ClickFix
Security tools can be good at keeping out known bad files and dodgy links, but are less effective when a legitimate user runs a command deliberately. The company’s most recent Digital Defense Report underscores the scope of its challenge: it processes more than 100 trillion signals a day, screens 5 billion emails, and blocks about 4.5 million new attempts at malware—but little in the new campaign forms around those tripwires by design.
Microsoft says ClickFix represented 47% of the initial access notifications observed by its Defender for Endpoint Experts over a year. There’s a larger risk that becomes apparent when you consider industry trends: Microsoft blames about 28% of breaches on phishing and social engineering, a reminder that fooling people usually wins out over technical hacks.
Real-world ClickFix campaigns and the payloads used
One of the campaigns tracked by Microsoft impersonated one of the largest travel websites during the busiest holiday booking season and directed users to a fraudulent CAPTCHA that preloaded a malicious command onto their clipboard. When it was pasted, the command downloaded malware and did not leave a standard file trail. Other campaigns have dropped credential stealers and RATs, such as Lumma Stealer, XWorm, AsyncRAT, VenomRAT, DanaBot, or NetSupport RAT.
The impact can escalate quickly. Researchers have linked successful ClickFix intrusions to the deployment of ransomware, theft of data, and ongoing remote access control. All too often, only a handful of keystrokes are sufficient to cede a foothold that hackers can later leverage into monetizable or more invasive access inside the network.
How to spot ClickFix attempts and stop them safely
The red flags often come in the verbiage and process. Beware if a site or pop-up tells you to open Windows Run or a terminal to fix a display, audio, or login problem. Handle commands that call out to PowerShell, mshta.exe, Invoke-Expression, or -EncodedCommand with extreme caution. If you see that, it’s likely a suspicious script; an attacker would likely prefer outbound traffic over an inbound reflective command prompt. If a page says it has “copied the command to your clipboard,” assume unwarranted manipulation is possible.
On the defensive side, turn on PowerShell script block/transcription logging as your audit trail for post-incident review. Consider disabling or restricting mshta.exe as much as possible and use application control or allowlisting for scripting engines. Browser hardening and isolation can minimize tampering with the clipboard by untrusted sites. Endpoint detection and response tools that include memory scanning capabilities, integrate with the Antimalware Scan Interface (AMSI), and have behavioral rules for living-off-the-land binaries can be effective at catching fileless activity.
Look for clipboard-to-terminal sequences and abnormal command-line network calls in your organization. Limit account privileges to prevent command elevation from a pasted single command. Features such as attack surface reduction rules and controlled folder access can mitigate post-exploitation moves even if the initial execution gets through.
What to teach your team to avoid ClickFix scams
Establish a basic rule that is never negotiable: don’t paste commands from emails, web chats, or pop-ups into Run, PowerShell, or a terminal window—no matter how legitimate they seem.
Route all “fixes” through a known support channel, and confirm by phone or chat within your company’s tools. Ask users to take screenshots and report any strange demands rather than comply.
The best training is always that which mimics reality. Add simulations that involve fake support messages or CAPTCHA gates, as well as clipboard prefill tricks—not just link-click tests. If a patch seems suspiciously easy or emergent, remind employees that it might be designed to sidestep critical thought. The safest thing to do is actually to “stop, check, and climb.”
ClickFix works because it looks like help. However, by reconceptualizing all copy-paste commands as a high-risk action, and backing that culture up with logging, controls, and prompt detection, you can change this nifty social hack back into what it really is: a simple, avoidable error.
