Microsoft Warns: ClickFix Phishing Attacks Are Bypassing EDR
Microsoft has issued a warning over the growing surge of large-scale ClickFix phishing attacks and has recommended that system administrators restrict the use of command-line tools and disable the Run dialog in Windows. This guidance is tied to the rapid spread of schemes in which attackers trick users into executing malicious commands themselves, disguising the process as CAPTCHA verification, identity confirmation, or the resolution of minor “technical issues.”
The ClickFix technique has been actively employed since last year. Victims are shown a page with simple instructions, urging them to copy and execute code in Windows Run, PowerShell, or Windows Terminal. Once launched, the command downloads trojans, information stealers, or loaders, granting attackers full access to the system. Microsoft reports that these campaigns target thousands of devices globally every day, with tens of thousands of users compromised each month. Alarmingly, the attacks succeed even when security defenses, including EDR solutions, are enabled—making the method particularly dangerous.
According to Microsoft Threat Intelligence, adversaries use a variety of delivery vectors. Most often, malicious links are distributed through ads on questionable websites, mass spam campaigns, phishing emails, or compromised domains. A user might, for instance, encounter the attack when attempting to stream a free movie on a pirated site—clicking “Play” redirects them to a counterfeit page with instructions. In other cases, the attackers mimic system errors or impersonate notifications from services like Discord, falsely claiming that identity verification is required.
The attackers’ primary goal is to persuade the victim to execute the malicious code themselves. To conceal their activity, the commands are obfuscated and encrypted, while components are fetched from multiple servers. Through ClickFix, some of the most dangerous tools are distributed, including LummaStealer, Xworm, AsyncRAT, NetSupport, SectopRAT, as well as loaders like Latrodectus and MintsLoader, and rootkits such as r77. Many of these threats operate directly in memory without leaving files behind, injecting malicious code into legitimate Windows processes such as msbuild.exe, regasm.exe, and powershell.exe.
Microsoft has also observed the active sale of turnkey ClickFix builders on underground forums. Prices for these kits range from $200 to $1,500 per month, with sellers promising antivirus evasion and persistence within compromised systems. Experts caution that because this method relies on user interaction, such attacks can bypass many traditional security mechanisms.
In its published recommendations, Microsoft advises administrators to restrict command-line tools for untrained users as much as possible. Suggested measures include disabling the Run dialog, blocking the execution of PowerShell and other executables via it, limiting access to Windows Terminal, and enabling alerts when multi-line code is pasted.
Additional guidance includes the use of Group Policies to harden Windows configurations, strict script execution rules, and application control policies to prevent the launch of built-in system utilities from untrusted sources.
The company further emphasizes the importance of strengthening digital literacy and training employees to recognize social engineering tactics, thereby reducing the likelihood of inadvertently executing malicious commands. The report also publishes IP addresses, domains, and other indicators of compromise to help administrators detect suspicious activity across their networks in a timely manner.
