Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

ClickFix attacks: what identity and endpoint teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: ClickFix attacks blend social engineering with fake browser prompts to trick users into running malicious commands, and Proofpoint, Sekoia, and SentinelOne all describe rapid spread across 2024 and 2025 campaigns. The real governance gap is not detection alone but the user-execution trust model that still lets a prompt become code.

NHIMG editorial — based on content published by Cybertrust Japan: 急増する「ClickFix」攻撃

Questions worth separating out

Q: How should security teams stop ClickFix attacks before the user reaches the endpoint?

A: Teams should focus on browser-layer controls that detect suspicious paste events, fake verification pages, and malicious command prompts before execution begins.

Q: Why do email attacks remain effective even when organisations use MFA?

A: MFA protects the login step, but many email attacks exploit the trust placed in a compromised or impersonated mailbox after authentication.

Q: What breaks when a fake CAPTCHA or browser prompt can trigger code execution?

A: When a fake prompt can trigger code execution, the organisation loses the boundary between verification and action.

Practitioner guidance

  • Restrict user-initiated command execution Disable or tightly control shell launch paths from browsers, documents, and chat tools on managed endpoints.
  • Harden browser and session telemetry Collect browser, endpoint, and identity-provider logs into the same incident workflow so you can trace suspicious prompts through to token use or console access.
  • Add controls for fake verification flows Train users to treat CAPTCHA, browser errors, and support prompts as untrusted until independently verified, and add URL filtering or browser isolation for pages that ask users to run commands.

What's in the full article

Cybertrust Japan's full blog covers the operational detail this post intentionally leaves for the source:

  • Campaign examples from 2024 and 2025 showing how ClickFix tactics evolved across different threat actors
  • Specific lure formats used in the wild, including fake interview flows, CAPTCHA pages, and browser error pages
  • Source-linked examples from Proofpoint, Sekoia, SentinelOne, and Kaspersky that map each campaign variant
  • Representative screenshots and attack flow details that help analysts recognise the tactic during investigation

👉 Read Cybertrust Japan's analysis of the rising ClickFix attack pattern →

ClickFix attacks: what identity and endpoint teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

ClickFix is a trust-boundary attack on the user execution model. Organisations often assume the user can safely distinguish legitimate prompts from malicious ones, but this attack pattern proves that assumption is too weak. Once a prompt can cause code execution, the security model has already shifted from authentication to social engineering. Practitioners should treat this as a control design failure, not a user awareness nuisance.

A question worth separating out:

Q: How should teams respond when suspicious pasted commands are executed on a managed device?

A: Teams should treat the device as potentially compromised, revoke active browser and console sessions, and inspect identity logs for unusual access immediately after the execution event. They should also check whether privileged accounts, service accounts, or SaaS tokens were used from the same endpoint. Containment must include identity session reset, not only malware removal.

👉 Read our full editorial: ClickFix attacks are rising through social engineering and fake prompts



   
ReplyQuote
Share: