Microsoft has flagged a ClickFix phishing campaign evolution where attackers now direct victims to open Windows Terminal via Win+X shortcut instead of the Run dialog, then paste malicious PowerShell commands. This bypasses security awareness training focused on the Run dialog and evades detections tuned to that pattern. The attack chains are more sophisticated, using hex-encoded commands, LOLBin abuse, scheduled task persistence, Defender exclusions, and etherhiding techniques. Security experts note the Win+X tactic itself isn't new (used for at least six months), but stress that employee education remains critical. Recommended defenses include enforcing PowerShell execution policy restrictions and enabling script block logging.
Sort: