Push Security Launches New Defense Against Surging 'ClickFix' Browser Attacks

BOSTON, MA – December 17, 2025 – As cybercriminals increasingly turn to sophisticated social engineering tactics that bypass traditional security, Boston-based Push Security has unveiled a new weapon in the fight: malicious copy-and-paste detection. The feature, integrated into its browser security platform, is designed to neutralize a rapidly growing family of threats known as ClickFix attacks, which manipulate users into becoming unwitting accomplices in their own compromise.

Recent industry data paints a stark picture of the threat's escalation. One report from cybersecurity firm ESET noted a staggering 517% surge in ClickFix-style detections in the last six months alone, while another study cited a 400% year-over-year increase in associated malicious links. These attacks have been linked to numerous high-profile breaches across finance, healthcare, and government sectors, often serving as the initial entry point for data theft and ransomware deployment.

“ClickFix is now one of the most effective ways attackers have at their disposal to steal business data and disrupt operations,” said Jacques Louw, chief product officer at Push Security. “Existing email and network security tools struggle to detect it during delivery, and endpoint controls are being routinely bypassed during execution.”

Push Security’s new capability directly targets the core mechanism of these attacks by monitoring copy-and-paste events within the browser, aiming to stop the threat before a user can execute malicious code on their machine.

The Anatomy of a Browser-Based Deception

Unlike traditional phishing that relies on fake login pages to steal credentials, ClickFix attacks exploit user trust and psychology. The attack chain typically begins when a user encounters a deceptive prompt on a website, which may have been reached via a phishing email, a malicious advertisement, or even a compromised but legitimate site. These prompts are cleverly disguised as familiar web challenges, such as a CAPTCHA test, a page loading error, or a request to fix a display issue.

When the user clicks a button like “Fix It” or “Verify,” a malicious script—often a PowerShell command—is silently copied to their computer’s clipboard. The webpage then instructs the user to complete the “fix” by opening a command-line tool (like the Windows Run dialog) and pasting the content from their clipboard. Believing they are performing a harmless troubleshooting step, the user executes the command, unknowingly unleashing malware onto their system.

This method is dangerously effective because it uses legitimate system tools and relies on user-initiated action, a combination that frequently evades conventional endpoint detection and response (EDR) solutions that are hunting for malicious files or unauthorized processes. The initial lure is often delivered through channels that bypass email security filters, making the browser the primary and often unprotected battleground.

Bypassing the Un-Bypassable: The Emergence of 'ConsentFix'

Highlighting the rapid evolution of these techniques, Push Security's research team recently uncovered a novel variant of the attack they have dubbed “ConsentFix.” This browser-native attack represents a significant escalation, as it is capable of achieving a full Microsoft account takeover while bypassing even phishing-resistant authentication methods like multi-factor authentication (MFA) and passkeys.

ConsentFix attacks lure a target, often through search engine results leading to a compromised website, to a page with a fake authentication challenge. The user is redirected to a legitimate Microsoft login page to sign in. If they are already authenticated, no credentials are required. The process generates a temporary OAuth authorization code in the browser's address bar. The user is then tricked into copying this entire URL—containing the sensitive code—and pasting it back into the attacker's page. This action completes a malicious OAuth consent grant, giving the attacker persistent access to the user's account and associated data via APIs, all without ever stealing a password or triggering an MFA prompt.

This technique is particularly insidious because it abuses trusted first-party applications and occurs entirely within the browser, leaving few traces for traditional security tools to find. It demonstrates that as organizations fortify their identity and access management (IAM) strategies, attackers are innovating to exploit the remaining gaps, with the user's own browser being the path of least resistance.

A New Defense Paradigm: Securing the 'Last Mile'

Push Security’s approach is to intervene at the precise moment of compromise. By deploying a lightweight agent inside the browser, the platform monitors user activity in real time. The new malicious copy-and-paste detection feature analyzes the content being copied and the context in which it occurs. It is designed to distinguish between legitimate code snippets a developer might copy from GitHub and the malicious scripts characteristic of ClickFix attacks.

If a malicious script is detected during a copy event, the action is blocked, and both the user and the security team are alerted. This preemptive block prevents the malicious payload from ever reaching an executable environment on the local machine, effectively cutting off the attack chain at its earliest stage.

“We see attack techniques like ClickFix evolve faster than traditional defenses can keep up. So for us, it is key to study attacker behavior in depth and design protections around the actions they can’t avoid,” Louw explained. “This research-driven approach allows us to deliver practical, universally effective controls that other vendors often overlook.”

The company asserts this method provides universal protection against all ClickFix variants without the heavy-handed approach of some Data Loss Prevention (DLP) tools that might block all copy-paste functions, thus ensuring a seamless experience for employees and maintaining productivity.

The Shifting Battleground of Enterprise Security

The rise of attacks like ClickFix and ConsentFix underscores a fundamental shift in the cybersecurity landscape. With the widespread adoption of SaaS applications and remote work, the browser has become the de facto operating system for the modern workforce—and consequently, a primary target for attackers. This reality challenges the efficacy of security architectures built around protecting the network perimeter and the traditional endpoint.

Browser-based attacks exploit the gap between network security, which may not see the malicious content on an encrypted site, and endpoint security, which may only react after a malicious command is already running. By positioning itself as “EDR for the browser,” Push Security is part of a growing movement to bring security controls directly to this critical layer of user interaction.

This strategy aligns with the principles of a Zero Trust security model, which assumes no implicit trust and seeks to verify every action. Securing the browser allows organizations to enforce granular policies, gain visibility into session-level risk, and protect against threats like session hijacking, malicious extensions, and credential stuffing in real time. As attackers continue to innovate by targeting human behavior, proactive defenses that operate where users work are becoming not just an advantage, but a necessity for modern enterprises.