ClickFix and browser-based malware delivery: what teams are missing

TL;DR: ClickFix attacks are surging, with reports cited by Push Security showing a 400% year-over-year rise in email-based attacks and a 517% jump over six months, while public breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech have been linked to the tactic. The real issue is that browser-driven social engineering is outpacing endpoint-first detection assumptions.

NHIMG editorial — based on content published by Push Security: ClickFix, FileFix, fake CAPTCHA, and browser-based malware delivery

By the numbers:

• email-based ClickFix attacks have increased by 400% year-over-year.
• another study highlighted a 517% increase in the past 6 months.

Questions worth separating out

Q: How should security teams detect ClickFix-style browser attacks before endpoint execution?

A: They should monitor the browser interaction that precedes execution, especially copy-and-paste into command prompts, fake CAPTCHA pages, and verification lures.

Q: Why do ClickFix attacks evade traditional phishing and EDR controls?

A: They evade many controls because the malicious payload is often a command string, not a downloaded executable, and the user runs it through trusted system tools.

Q: What do security teams get wrong about browser-based social engineering?

A: They often treat the browser as a delivery layer rather than a control surface.

Practitioner guidance

• Monitor browser copy-and-paste to command execution paths Correlate suspicious copy events with subsequent execution in Run, PowerShell, Terminal, or File Explorer so the alert fires before the payload has a chance to stage or persist.
• Treat browser-delivered lures as identity attack indicators Add detections for fake CAPTCHA pages, verification prompts, and error-page lures that precede credential theft or session hijack, especially when they arrive outside email.
• Review BYOD and personal-device exposure paths Look for cases where corporate email accounts or browser profiles are used on unmanaged devices, because saved credentials and synced sessions can widen the blast radius of a browser compromise.

What's in the full article

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• Examples of ClickFix and FileFix lure pages, including how the social engineering flows are presented to users.
• A closer look at browser-based malicious copy-and-paste detection and how the control is enabled.
• The vendor's discussion of delivery channels, anti-analysis behaviour, and browser attack surface hardening.
• Implementation details for practitioners who want to see how the browser-layer detection works in practice.

👉 Read Push Security's analysis of ClickFix and browser-based malware delivery →

ClickFix and browser-based malware delivery: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →