Attackers are running large ClickFix waves that lead users to “support” pages and then walk them through self-executing steps. Because the victim performs the key action, automated defenses sometimes stand down. Consequently, threat actors steal Microsoft 365 credentials at scale, then pivot into mailbox rules, OAuth abuse, and session hijack. In parallel, several clusters drop stealers or remote access tools after the click.
𝗪𝗵𝗮𝘁 𝗖𝗹𝗶𝗰𝗸𝗙𝗶𝘅 𝗶𝘀 𝗮𝗻𝗱 𝘄𝗵𝘆 𝗶𝘁 𝗲𝘃𝗮𝗱𝗲𝘀
The lure looks like a fix page for email, payments, or booking portals. It tells the user to copy a command, paste it into a console or browser dialog, and press Enter. Because the user triggers execution, filters that wait for drive-by exploits or unsanctioned downloads may not flag it. Therefore, defenders must watch behavioral context, not only file signatures.
𝗖𝗵𝗮𝗶𝗻: 𝗲𝗺𝗮𝗶𝗹/𝗮𝗱 → 𝗹𝗮𝗻𝗱𝗶𝗻𝗴 → 𝘀𝗲𝗹𝗳-𝗶𝗻𝗳𝗲𝗰𝘁 𝘀𝘁𝗲𝗽 → 𝗰𝗿𝗲𝗱 𝘁𝗵𝗲𝗳𝘁 𝗼𝗿 𝗥𝗔𝗧
Campaigns begin with phishing emails, malvertising, or compromised sites. The landing page coaches the target through “verification” or “restore access” steps. After the user completes the action, kits harvest Microsoft 365 tokens or credentials; some runs also install payloads, including credential stealers and remote access tools. As signals age out, the same actors recycle the lure with minor text changes and fresh domains.
𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝗶𝗺𝗽𝗮𝗰𝘁: 𝗵𝗼𝘀𝗽𝗶𝘁𝗮𝗹𝗶𝘁𝘆 𝗮𝗻𝗱 𝗯𝗼𝗼𝗸𝗶𝗻𝗴 𝗳𝗹𝗼𝘄𝘀 𝗯𝗿𝗲𝗮𝗸
Recent waves impersonate Booking-style workflows to pressure hotel staff. Messages claim urgent guest changes or payment holds and direct managers to a ClickFix page. From there, credential theft leads to mailbox takeover and fraud against guests. In several cases, post-click malware like PureRAT appears in follow-on traffic, giving attackers a persistent foothold on staff endpoints.
𝗟𝗮𝘁𝗲𝘀𝘁 𝘁𝗿𝗲𝗻𝗱𝘀: 𝗸𝗶𝘁𝘀, 𝘃𝗶𝗱𝗲𝗼𝘀, 𝗮𝗻𝗱 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗼𝗻
Threat groups now use ClickFix generators that mass-produce lure pages. Some pages embed short tutorial videos that show users how to “fix” the issue by pasting commands. Others test OS and browser to deliver tailored payloads. Because kits handle the steps, low-skill crews can run convincing campaigns at enterprise scale while rotating infrastructure.
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗵𝘂𝗻𝘁𝗶𝗻𝗴
Track referrer chains from email or ads into pages that instruct copy-and-paste actions. Alert when browsers or msedge.exe spawn shells (cmd, powershell) after visiting unknown domains. On Microsoft 365, monitor for suspicious OAuth consent, inbox rule creation, and token anomalies. Investigate new MFA-less logins, atypical device joins, or sudden mailbox forwarding to external addresses. To validate, follow the session: message → landing → user action → token replay or payload drop.
𝗠𝗶𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗵𝗮𝗿𝗱𝗲𝗻𝗶𝗻𝗴
Reduce human error paths. Enforce admin-approved app consent and restrict self-service OAuth. Require phishing-resistant MFA for staff with financial or booking privileges. Block scripted installs from browsers and deny command execution spawned by user-mode browsers. In email, quarantine messages that instruct users to paste commands or run scripts. Where possible, tune web proxies to flag pages that display step-by-step fix instructions. Finally, teach staff: support will never ask you to run a command.
𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗶𝗺𝗽𝗮𝗰𝘁 𝗮𝗻𝗱 𝗻𝗲𝘅𝘁 𝘀𝘁𝗲𝗽𝘀
Review ad and referral telemetry for ClickFix-style funnels. Block known kit domains and their short-lived look-alikes. On takeover cases, revoke refresh tokens, reset passwords, and audit inbox rules. Close the loop by scanning for PureRAT artifacts or other post-click payloads on any endpoint used by the compromised user. Afterwards, run a focused awareness sprint for front-desk and reservations teams.
ClickFix succeeds because it turns the user into the installer. As a result, it bypasses assumptions about what “malware delivery” looks like. Tighten OAuth governance, force phishing-resistant MFA, and block browser-to-shell chains. If you treat instruction-driven lures as hostile by default, you shrink this technique’s success window.
𝗙𝗔𝗤𝘀
Q: Why does ClickFix bypass some defenses?
A: The victim triggers the action, so systems tuned to block unsolicited downloads or exploitable bugs may not see a violation. Behavior-based policies close that gap.
Q: What blocks most ClickFix chains early?
A: Remove self-service OAuth consent for non-admin users, require phishing-resistant MFA, and prevent browsers from spawning shells or installers.
Q: How should hospitality teams validate suspected cases?
A: Check mailbox rules, recent OAuth consents, and sign-ins without MFA. Trace browser-spawned processes and scan for PureRAT or other stealers dropped post-click.
Q: Are malvertising paths common?
A: Yes. Actors rotate domains and ad content to reach targets beyond corporate email. Monitor referrals, not just inboxes.
Q: What user message stops the action?
A: “Support will never ask you to paste a command or run a script to fix access.”
2 thoughts on “ClickFix Lures Coach Users to Self-Infect and Bypass Filters”