GoKawiilApple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Over the past few weeks, the Mac admins I talk with have been talking about a report from Netskope Threat Labs regarding a new macOS ClickFix campaign. The campaign is a brilliant (and scary) piece of social engineering, and it highlights exactly why the traditional 90-day software update deferral window needs to be retired, either by Apple or by IT.
About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
The ClickFix threat
ClickFix is a tactic where attackers trick users into copying and pasting a malicious script directly into their Terminal app. They achieve this using fake CAPTCHA screens or fake browser update alerts. Once the user pastes and runs the script, it deploys an AppleScript dialog box that looks exactly like a native macOS system prompt.
The prompt asks for the user’s password and loops infinitely until the user provides it. There is no close button. Once the password is captured, the malware steals the entire macOS Keychain database, along with live session cookies from browsers such as Safari and Chrome. Stealing live session cookies is the ultimate prize because it allows attackers to bypass multi-factor authentication completely.
Apple is already fighting back against this specific attack type. In macOS Sequoia and macOS Tahoe 26.4, Apple introduced a native Terminal security warning. This feature specifically disrupts ClickFix attacks by alerting users when they attempt to paste harmful commands from an untrusted source into Terminal.
This brings me to my main point. Historically, Apple has allowed IT administrators to defer macOS updates for up to 90 days using their device management platform. For years, this was considered an IT best practice. It gave teams time to test internal apps, verify compatibility, and ensure a smooth rollout across the fleet.
However, the threat landscape in the age of AI is moving too fast for a three-month delay. If your organization is deferring updates for a maximum of 90 days, your users are missing out on critical OS level mitigations like the new Terminal paste warning. For three entire months, your employees are vulnerable to social engineering attacks that the operating system could easily block if it were simply up to date.
9to5Mac’s take
... continue reading