1 day ago
12
Follow ZDNET: Add us as a preferred source on Google.
ZDNET's key takeaways
- The ClickFix social engineering tactic is rising in popularity.
- Microsoft said this initial access method was recorded in 47% of attacks.
- Traditional phishing protections won't work. Changing your behavior will.
Microsoft is warning that ClickFix social engineering attacks have become a favorite tactic of cybercriminals for gaining access to victims' networks.
The tech giant published its latest Microsoft Digital Defense Report on Thursday. On average, Microsoft processes over 100 trillion signals every day, blocks approximately 4.5 million new malware attempts, screens 5 billion emails for malware and phishing, and scrutinizes approximately 38 million identity risk detections, which grants the company the data needed to provide a thorough overview of current cybercriminal trends, tactics, and techniques.
Also: Microsoft debuts its next big high-stakes AI feature in Windows - can you trust it?
The 2025 version of the annual report notes that AI abuse by threat actors, from entry-level to state-sponsored, is on the rise, as are extortion attempts and ransomware infections. Of particular note is a social engineering technique known as ClickFix.
What is ClickFix?
Since early 2024, Microsoft has tracked ClickFix attempts and observed its increase in popularity. Over the past year, ClickFix has become a widely adopted initial attack technique, attempting to lure users into scamming or putting themselves at risk by tricking them into launching malicious code.
This social engineering technique can be adapted for various access scenarios, but in general, ClickFix tries to take advantage of human problem-solving. Fake error messages, for example, could request users to fix a minor technical problem by copying and pasting code or launching commands on their system.
However, the true aim of the request is for the users themselves to download malicious code.
For example, a months-long ClickFix campaign detected by Microsoft in 2024 impersonated Booking.com at the height of the holiday season. Victims were sent phishing emails that appeared to come from Booking.com, and if the recipient clicked on the link, they would be whisked away to a website displaying a fake CAPTCHA and instructions on copying and pasting a command into a Windows Run window that had been covertly added to a clipboard by the phishing page.
Also: Still on Windows 10? Here's what Microsoft Defender can and can't do for you
"ClickFix tricks users into copying a command -- often embedded in a fake pop-up, job application, or support message -- and pasting it into the Windows Run dialog (Win + R) or a terminal, which then executes PowerShell or mshta.exe," Microsoft explained. "These commands pull malicious payloads directly into memory -- a clean, fileless process that is often invisible to traditional security tools."
Rising ClickFix rates
According to Microsoft, ClickFix was the most common initial access method recorded via Microsoft Defender Experts notifications in the past year, "accounting for 47% of attacks."
ClickFix techniques are being used by cybercriminal and nation-state-level threat actors as an initial access component of attack chains. Some of the successful campaigns tracked by Microsoft have led to the deployment of ransomware, infostealers, Remote Access Trojans (RATs), and worms.
Payloads have included Lumma stealer, XWorm, AsyncRAT, VenomRAT, Danabot, and NetSupport RAT.
"Successful campaigns have led to credential theft, malware staging, and persistent access using just a few keystrokes from the user," according to the report.
Why is ClickFix concerning?
As Microsoft notes, users are lured into running malicious commands themselves, and so traditional anti-phishing measures won't offer any protection -- and when 28% of breaches logged in the past year have been due to phishing and social engineering, this trend is a worrying one.
Also: Scam texts net over $1 billion for cyber gangs - how to avoid their traps
What makes ClickFix different from many other phishing techniques is not that it requires user interaction -- you find this in commonplace scams requiring a victim to click on a suspicious link or to enable macros -- but that the requested action seems benign. It appears like nothing more than asking for someone to employ a few keyboard shortcuts to fix a technical problem.
How do I protect myself against ClickFix attacks?
Microsoft recommends that organizations (and users) focus on changing behavior to reduce the risk of being exploited by a ClickFix initial access attempt.
Awareness training is a key factor, ensuring that individuals understand copying and pasting commands from any source -- no matter how legitimate it appears -- can be just as dangerous as clicking on a suspicious link.
Also: Still on Windows 10? Here's what Microsoft Defender can and can't do for you
The Redmond giant also says that organizations should consider implementing PowerShell logging to trace potential ClickFix scams, clipboard-to-terminal activities should be monitored, and using both browser hardening and contextual detection systems may also help catch suspicious activity before a ClickFix attack succeeds.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
English (US) ·