ClickFix social-engineering initial access campaign
Campaign
Summary
Hide ▲
Show ▼
In 2025, ClickFix spread across dozens of threat clusters, turning a social-engineering prompt into a widespread initial access path that increased compromise risk. The technique relied on phishing pages that pushed users to run PowerShell or other system-level commands under the guise of fixes or verification. Variants used CAPTCHAs, meeting-invitation checks, software updates, and compliance prompts to widen reach.
Related Happenings
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Silent subject/null subject phishing campaign targeting executives and privileged users
Campaign
First: 22.04.2026 16:00
Last: 22.04.2026 16:00
Sources 1
About this happening:
A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
Silent subject/null subject phishing campaign targeting executives and privileged users
CampaignAbout this happening: A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
How related:
SSL VPN abuse accounted for 32.8 percent of all identifiable incidents, making it one of the most common initial access vectors.
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target TrendHow related: SSL VPN abuse accounted for 32.8 percent of all identifiable incidents, making it one of the most common initial access vectors.
About this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
23.03.2026 17:35 2 articles · 2mo ago
ClickFix social-engineering initial access campaign
Initial DisclosureThe campaign began with **phishing-page prompts** that induced users to run commands themselves, often under the pretense of a fix or verification. That initial interaction created a low-friction path to **first-stage access**.
Show sources
- High-Tech Sector Overtakes Finance as Top Target for Cyber-Attacks, Mandiant Reports — www.infosecurity-magazine.com — 23.03.2026 17:35
- Routine Access Is Powering Modern Intrusions, a New Threat Report Finds — www.bleepingcomputer.com — 01.04.2026 17:05