ClickFix Attack Hits Enterprise Systems: What You Need to Know
Attackers are finding increasingly creative ways to infect computers with malware. Recently, cybercriminals have been taking an already dangerous tactic – known as ClickFix – and upping the ante by making the attack even harder to detect.
Their target? Critical systems and organizational data.
Here’s what you need to know.
What Is a ClickFix Attack?
ClickFix is a social engineering technique that tricks users into infecting their own devices with malware. Attackers do this by presenting fake CAPTCHAs, “Fix This Now” pop-ups, or other fake error messages, along with instructions designed to convince users to run malicious scripts themselves.
According to Microsoft’s Digital Defense Report 2025, ClickFix has accounted for 47% of recent cyber attacks.
Typically, a ClickFix attack instructs the user to copy and paste a command into:
- Windows Run
- Windows Terminal
- Windows PowerShell
Because the user is the one executing the command, ClickFix attacks often bypass traditional security tools that are designed to block automated malware.
What Makes This Version Different?
Most ClickFix attacks open a command window directly. Thanks to better security tools and more security-aware users, that behavior is much easier to spot today. Some companies even outright block access to command windows. This new variation is far sneakier.
Instead of opening PowerShell or Command Prompt – which usually comes with a hard-to-miss black box – the attack executes malicious activity inside what appears to be a legitimate process. This technique is known as a “living off the land” attack, where trusted, built-in tools are abused to do harmful things.
This is where the virus analogy becomes uncomfortably accurate: from the outside, everything looks well and good, but under the surface, a malicious process is running, propagating, and doing damage.
It’s a ruthless attack hiding in plain sight.
What Does This Mean for You?
This version of the ClickFix attack only works on Enterprise and Education editions of Windows 10 and 11, along with modern Windows Servers. This attack fails outright on Home and Pro editions, which strongly suggests that attackers are targeting corporate networks and managed devices, not home users.
In these environments, attackers are looking to gain a foothold and move laterally – jumping from one entry point in your environment to another.
That puts high-value enterprise systems at risk, including:
- Identity and access control systems: Used to influence permissions and gain access to sensitive data.
- Email and collaboration platforms: Used to spread internal phishing messages and access cloud-based information.
- Endpoint and device management systems: Used to reach and influence large numbers of company-managed devices at once.
- Backup and disaster recovery systems: Targeted to tamper with recovery options, extract sensitive data, or increase ransom pressure.
- Remote access infrastructure: Used to access off-site systems and remote users.
It’s easy to see how a compromise at this level can spell serious, organization-wide trouble for your company.
What You Can Do
While ClickFix attacks can be difficult to spot, there are several practical steps you can take to reduce your organization’s risk.
Teach People What Not to Do
The most effective way to prevent ClickFix attacks is to avoid being fooled in the first place. These attacks rely on user action, and an aware user can stop an attack in its tracks.
Trian users to:
- Be suspicious of sudden “Fix This Now” pop-ups or verification prompts
- NEVER copy and paste commands into Windows Run, PowerShell, or Terminal
- Pause and verify requests through legitimate internal channels before proceeding
Keep a Record of Commands Run
Logging acts as a paper trail for your system activity. By having your IT team keep logs of what commands are run on company computers, it becomes much easier to spot suspicious behavior.
If something does go wrong, these logs provide clear answers about what happened, where it happened, and when.
Lock Down Your Web Browser
Many ClickFix attacks start in a web browser. By bolstering your browser security, you can keep fake prompts from appearing in the first place. This includes:
- Blocking unnecessary or risky browser extensions
- Limiting tracking cookies from unknown sites
- Turning off browser features employees don’t actually need
- Keeping browsers updated so security holes are patched
Limit Who Can Run Powerful Tools
Not everyone needs access to system-level tools like Windows Run, PowerShell, and Terminal. The fewer people who can run them, the less damage an attacker can cause. Make sure you control:
- Who can open command windows or run scripts
- Which computers allow this access
- Whether that access is still required
Secure Yourself with an MSP
Like all social engineering tactics, the key to staying safe from ClickFix attacks is by spotting them early through a combination of awareness, permissions, and visibility.
Even then, some attacks can still slip through. That’s why it’s critical you work with a partner who can help defend your environment.
At The 20 MSP, we’ve been helping secure our customers for decades, while also providing cyber awareness training to keep users informed. We make sure our customers have someone to turn to, whether they have questions or need help responding to a security incident.
If you need a security expert to turn to, or just someone to run a few questions by, reach out. We’d be happy to help.
Want more tips like this?
Subscribe using the form on the right and get our latest insights delivered straight to your inbox.
About The 20 MSP
As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, including single and multi-location organizations, delivering white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our clients’ success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.
