At YourNewsClub, we observe a silent but alarming shift: attackers are no longer focused on forcefully breaching infrastructure. Instead, they infiltrate legitimate operational routines, copying the tone, timing and procedural language of IT support. This is the essence of ClickFix – a new class of attacks where the user initiates the compromise themselves, convinced they are following standard corporate protocol.
During the last observed cycle, ClickFix became the leading initial access vector – responsible for 47% of intrusions, surpassing classic phishing at 35%. This is not a tactical anomaly – it is a change of battlefield. The contest is no longer for email credentials alone, but for the right to define what counts as a “normal user action.”
ClickFix relies on a carefully staged escalation: a notification imitation, followed by email bombing to flood the inbox and bury legitimate MFA or security alerts, then a phone call from a fake “support technician”, and finally – a seemingly legitimate request to install remote access software. No malicious .exe files, no obviously harmful links – attackers use approved RMM tools that corporate systems are trained to trust.
The user does not “fall for a phishing link”. The user clicks “Allow Support”, believing it to be routine.
As YourNewsClub infrastructure risk analyst Owen Radner puts it:
“This is no longer a protocol-level attack. It’s a scenario hijack. Attackers don’t break into the system – they walk in through the door marked ‘Help Desk’.”
In this model, email bombing is not noise – it is a calculated suppression field, designed to drown out genuine MFA prompts and fraud alerts. The attacker does not impersonate a spammer – they impersonate operational staff. We note a structural shift: the more attackers mimic internal workflows, the less technical their intrusion needs to be.
Crucially, link filtering and URL-based threat detection are losing efficiency, because the attack has moved into the conversational layer – chat threads, Teams calls, voice prompts, personalized guidance. Behavior has overtaken content as the core security surface.
YourNewsClub tech systems analyst Jessica Larn articulates the shift:
“Security has been trained to protect code. But ClickFix proves that vulnerability has moved into ritual. Whoever governs the support procedure governs access – regardless of how secure the system itself is.”
If this trend continues, companies will have to transition from content filtering to governance of escalation protocols, including:
Validating who is allowed to initiate a support session, not just what files they send.
Mandatory trust logs for remote assistance actions, not just audit records after compromise.
Strict allow-lists for remote administration tools, banning all spontaneous installations.
Ritual-based authorization – not “install software,” but “authorize a specific action tied to a ticket,” validated outside the active communication channel.
Looking 12–18 months ahead, we expect ClickFix to evolve into a family of procedural attacks, augmented by deepfake voice vishing, synthetic Teams notifications, and AI-driven “assistance scripts.” Antivirus engines will remain blind to such scenarios – the new battleground lies in consent flows, language patterns and human-system interaction interfaces.
At YourNewsClub, we call this a redefinition of the threat perimeter:
whoever controls the moment of clicking “Allow Assistance” controls the infrastructure. That control no longer resides in code – it resides in the choreography of human-system interaction.