EvilProxy & ClickFix attacks pose new challenge for email security

Barracuda Networks has reported the emergence of two new email-based cyber threats that are targeting organisations across the globe and are designed to evade conventional detection methods.

According to threat analysts, a resurgence of the EvilProxy phishing kit is behind a spate of recent attacks that incorporate new strategies to entice recipients into jeopardising their credentials. Simultaneously, a social engineering method called 'ClickFix' is becoming more common among both nation-state threat actors and cybercriminal groups.

EvilProxy resurgence

Barracuda's investigations show that EvilProxy, identified as a dominant Phishing-as-a-Service (PhaaS) operation in early 2025, has returned with updated techniques. An initial wave sees attackers impersonating the Upwork freelance platform. Targeted users receive what appears to be a legitimate email claiming to confirm payment for recent work, seemingly sent by a trusted Upwork customer.

The email contains a link purporting to show payment details. If the recipient clicks through, they are taken first to a ShareFile page containing another link. Selecting this link leads to a verification page, with the aim of establishing authenticity in the victim's mind. Ultimately, users are redirected to a counterfeit login screen mimicking Microsoft services—at this point, attackers attempt to steal Microsoft login credentials and gain access to personal or organisational data.

Barracuda also identified a variation on typical invoice scams, involving multiple layers of attachments. The process starts with a payment confirmation email accompanied by a .msg attachment claiming to be a remittance note. Within this attachment, an embedded image is made to look like a PDF file; if clicked, it leads via a malicious link to a Cloudflare Turnstile verification page. After completing this verification, the victim arrives at a phishing site designed to harvest login credentials.

These additional verification steps are intended to make the phishing attempt appear more believable and to bypass security tools that rely on automation. As described by Barracuda, "The Turnstile verification makes it harder for automated security tools to spot the EvilProxy phishing site that the user is directed to after passing the Turnstile verification. The phishing page is designed to steal the victim's login credentials."

EvilProxy attacks also include a series of campaigns exploiting the widespread use of Microsoft 365. The attackers have been observed sending fake Microsoft 365 login alert emails. These messages impersonate reputable security vendors and warn the recipient of an alleged security threat—typically an attempt by an unknown IP address to access the account repeatedly.

These warnings are intended to create urgency, prompting users to 'block' the suspicious activity by clicking an embedded link. This link directs them to a fraudulent Microsoft login page set up to steal the victim's credentials. The campaign's effectiveness relies in part on using multiple subject lines with consistent body text, which allows future iterations of the attack to evade some security detection tools.

Recent examples seen by Barracuda mirror those seen elsewhere, targeting organisations in the hospitality sector pretending to be someone called "David" who had booked a hotel room via Booking.com but never received confirmation.

Social engineering and ClickFix

The ClickFix technique marks a shift in tactics by cybercriminals as it does not depend on malware-laden attachments or malicious links. Instead, this approach uses social engineering to manipulate targets into entering specific commands into Windows dialog boxes, permitting malicious command execution.

Barracuda threat analysts have tracked ClickFix attacks, some of which have targeted the hospitality sector. Attackers send emails, in some cases posing as a customer named "David," stating an issue with an online booking via Booking.com. The email leverages emotive language and requests the recipient to verify a reservation before the supposed customer loses money. A "Sent from iPhone" signature is added to enhance the message's plausibility.

Two main ClickFix attack variants have been observed. In the first, after the target clicks a link, they are taken to a verification page mimicking a legitimate "I'm not a robot" check. Here, they are instructed to press keyboard shortcuts to open the Windows Run dialog, paste in a command (which is silently copied by clicking a "Verify" button), and press Enter. This causes malware to be downloaded and run on the victim's machine, granting covert access to attackers.

In both cases, the attackers' goal is to deliver and run malicious code with minimal user interaction, using trusted Windows components to bypass security software and silently compromise the system.

The second variant skips the "Verify" button and instead uses a familiar checkbox-style CAPTCHA. Once clicked, it displays a brief loading animation and silently copies malicious code to the clipboard. This code leverages legitimate Windows tools—specifically, HTML Applications files (HTA)—which, while not inherently harmful, are frequently misused to execute malicious scripts. In analysed cases, these scripts connect to a remote server, with a likely intent to download further harmful files or execute code remotely.

According to Barracuda's threat analysts, these methods rely on "duping users into adding malicious commands themselves, and this makes such attacks harder for automated security systems to spot."

Barracuda's analysts note the advancement of both EvilProxy and ClickFix represents a deliberate effort by cybercriminals to bypass automated detection and social defences, making the development of adaptive and user-focused defence measures increasingly important for organisations facing these threats.