Cyber Security
- Threat Management
  
  Managed Cyber Security
  
  Award-winning SOC
  
  Incident Response
  
  Digital Footprint
  
  Offensive
  
  Penetration Testing Services
  
  Crest Certified Pen testing
  
  Vulnerability Assessments
  
  Breach & Attack Simulation Services
  
  Red Teaming Assessment
  
  Advisory
  
  Security Gap Analysis
  
  Fully Comprehensive audit
  
  Attack Surface Review
  
  Cyber Essentials Plus
  
  User Education & Awareness Training
IT Support
- Managed
  
  Managed IT Support
  
  Award winning Helpdesk
  
  Managed IT Security
  
  Consultancy
  
  Network & Connectivity Services
  
  Disaster Recovery
  
  CTO Consultancy
  
  Device as a Service
  
  Cloud
  
  Digital Transformation Services
  
  Cloud Services
Microsoft Services
- Microsoft Security
  
  Microsoft 365 Security Gap Analysis
  
  Microsoft MXDR Plans
  
  Modern Endpoint Management
  
  Microsoft Cloud
  
  Microsoft 365 Consultancy Services
  
  Solutions Partner Certified
  
  Microsoft Sharepoint Services
  
  Microsoft 365 Licensing
  
  Microsoft 365 Enterprise Licensing
  
  Modern Workplace Implementation
  
  Microsoft Technologies
  
  Microsoft Azure
  
  Cutting Edge cloud technology
  
  Microsoft Sentinel
  
  Leading Cloud Native SIEM
  
  Microsoft Defender XDR
  
  Extended Detection & Response

Expert Intel

The Rise of Clickfixing: Understanding the Latest Social Engineering Threat

Published: March 20, 2025

Expert: Charlie Kelly

Role: Principal Security Analyst

Specialises in: Incident Response

What you will learn:

In this edition of Expert Intel, you’ll discover what Clickfixing is, why it’s increasingly effective, common techniques threat actors use, and practical steps your organisation can take to defend itself against this emerging social engineering threat. By the end, you’ll have actionable insights to protect your users and infrastructure.

“Attackers are exploiting user trust and familiarity more than ever. If your organisation relies solely on user caution to avoid social engineering threats like Clickfixing, you’re already behind. Combining user education with robust technical measures is now more essential than ever to stay ahead of evolving attacks.”

Clickfixing is rapidly becoming one of the most concerning social engineering techniques observed by our analysts at the Stripe OLT SOC. Rather than exploiting technical problems, Clickfixing targets user trust and familiarity with simple verification prompts, tricking victims into executing malicious scripts under the guise of routine human verification tasks.

What is Clickfixing?

Clickfixing is a social engineering tactic where attackers use fake dialogue boxes designed to mimic legitimate verification prompts rather than technical errors. Victims, believing they’re simply verifying their identity or proving they’re human, follow provided instructions and unknowingly execute malicious scripts.

Typically, these prompts resemble verification requests such as “Follow these steps to prove you’re human” rather than error messages. Victims encounter instructions that involve copying and pasting commands into PowerShell or the Windows Run dialogue (WinKey+R). Our analysts have also observed attackers silently copying malicious scripts into the victim’s clipboard automatically, further simplifying execution.

Why Clickfixing Works

Clickfixing exploits trust and habitual responses:

Users trust prompts that resemble standard verification or CAPTCHA requests.

Minimal interaction and straightforward instructions reduce suspicion.

Users instinctively comply with basic verification procedures without scrutiny.

Common Clickfix Techniques

Our analysts have noted several specific methods:

Clipboard manipulation combined with WinKey+R to quickly execute scripts.

Step-by-step instructions directing users to manually run commands in PowerShell.

Automatic copying of malicious scripts into the clipboard without the user’s knowledge.

How Threat Actors Deploy Clickfixing

The Stripe OLT SOC has observed multiple distribution methods:

Compromised websites: Particularly compromised WordPress sites hosting fake CAPTCHAs or redirects.

Actor-owned infrastructure: Threat actors create dedicated servers and domains specifically to distribute Clickfix prompts.

Malicious URLs and attachments: Embedding malicious links within emails or attachments, directing users to verification prompts.

Impact of Clickfix Attacks

Clickfix campaigns can lead to command execution, data exfiltration, or deliver second-stage payloads such as:

Information stealers

Ransomware loaders

Remote Access Tools (RATs)

Organisations impacted by Clickfix attacks risk significant consequences, including data breaches, operational disruptions and financial losses.

malicious command forma click fixing attack — *An excerpt from a malicious command pasted as a result of a Clickfixing attack*

Mitigating Clickfixing Attacks

Organisations should proactively adopt measures to combat Clickfixing:

Employee Awareness: Educate users specifically about social engineering threats disguised as verification requests.

Technical Controls: Implement PowerShell restrictions and endpoint monitoring.

Group Policy Measures: Apply Group Policies to restrict the Windows Run dialogue (WinKey+R) and unauthorised script execution.

Policy Enforcement: Limit administrative privileges to reduce unauthorised script execution effectiveness.

The Main Takeaway

Understanding Clickfixing and proactively addressing this threat through vigilant awareness and technical safeguards is essential. Organisations equipped with these defences will significantly mitigate the impact of this rising social engineering tactic. As social engineering continues to evolve, it’s essential for organisations to stay informed about emerging threats like Clickfixing. By fostering a security-conscious culture, continuously updating defensive strategies, and maintaining robust technological controls, organisations can significantly reduce their vulnerability to these sophisticated attacks and better protect their critical assets.

If you’re concerned about emerging threats like Clickfixing and want to stay one step ahead of social engineering attacks, our security experts at Stripe OLT are here to help.

Book a free discovery session with us — we’ll assess your current security posture and recommend tailored strategies to protect your organisation from evolving threats.