Why Reissuing a Device Without Proper Cleanup Is a Huge Security Risk

Observation Summary

A device with an unresolved compromise history was handed over to a new employee without undergoing proper remediation or reimaging. While the original incident involved a browser-based social engineering attack where a user was manipulated into running a malicious command on their own machine, the broader issue here is not the attack technique itself.

It is the assumption that a previously used device is safe simply because the old user has left.

Without a verified, documented cleanup process, any device that changes hands carries unknown security risks into the hands of someone who has done nothing wrong.

A device previously involved in a ClickFix variant attack was handed over to a new employee without undergoing proper remediation or reimaging.

Who This Impacts

This issue is relevant to anyone involved in the device lifecycle.

• IT teams managing hardware provisioning
• HR coordinating onboarding
• leadership responsible for ensuring new employees start in a safe and trusted environment.
• A CISO-level concern because the risk does not stay contained to the device, it can follow the new user into the broader network.

How Devices Get Compromised Without Anyone Noticing

Modern attack techniques do not always announce themselves. One increasingly common example is browser-based social engineering — where a user visits a compromised website and is presented with a convincing prompt instructing them to run a command on their own machine. The user does it willingly, believing it is legitimate.

There is no malicious email attachment, no suspicious download, and often no alert from endpoint protection tools. The result can be persistent malware, harvested credentials, or a backdoor that survives across reboots — all sitting quietly on the device long after the original user has moved on.

Why “Good Enough” Cleanup Is Not Enough

Deleting a user profile, resetting a password, or uninstalling a few applications does not constitute remediation. Threats that establish persistence do so in places that survive those actions — scheduled tasks, registry run keys, startup folders, browser data stores, and firmware in some advanced cases. A new employee logging into a device that has had a surface-level cleanup may unknowingly be sharing that machine with whatever was left behind.

This is why organizations invest in advanced data security services to detect, prevent, and eliminate persistent threats across devices.

ProArch SOC Observations

ClickFix is a social engineering technique where a user visits a compromised or malicious website and is presented with a fake error or CAPTCHA prompt that instructs them to paste and run a command — usually in the Windows Run dialog or PowerShell. The user does it themselves, believing it is a legitimate fix.

A malicious PowerShell command was found embedded in both the device’s Scheduled Tasks and Registry run keys — two of the most common locations attackers use to ensure their foothold survives reboots and user profile changes.

The command was structured to run silently in the background, invisible to the end user under the registry key “Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU”:

The comment appended to the command — “I am not a robot – reCAPTCHA Verification Hash: 8348” — is a direct fingerprint of the ClickFix social engineering lure. It is the text the user was instructed to paste, disguised as a CAPTCHA verification step.

Why It Matters

New Employee Risk — A new user on a compromised device may hand an attacker fresh credentials, clean network access, and a trusted identity from their very first day — through no fault of their own.

Persistence Survival — Many compromise techniques are specifically designed to survive standard IT cleanup procedures. Only a full, verified wipe and OS reinstall can be trusted to remove them reliably.

Silent Threat — Some implants leave no detectable signature. A device that appears clean to endpoint tools may still be actively compromised. Absence of alerts is not the same as absence of threat.

Governance and Liability — If a new employee is compromised through a device that was reissued without documented remediation, the accountability falls on the organization’s IT and security processes, not the user.

Microsoft Native Controls

Microsoft’s ecosystem offers several controls that can directly reduce the likelihood and impact of this attack class across all managed devices.

• Microsoft Intune, Endpoint Security Policies — The management layer that makes all the above consistent and scalable. ASR rules, PowerShell restrictions, and device compliance policies can be pushed and enforced across every managed device in the organization from a single place.
• Attack Surface Reduction (ASR) Rules — Defender’s ASR rules can block obfuscated script execution, prevent process creations originating from PowerShell and WMI commands, and stop downloaded content from executing directly.

These rules target the exact behavior observed in this incident and can be deployed at scale via Intune or Group Policy.

• PowerShell Constrained Language Mode — Restricts PowerShell to a limited command set. Enforceable via AppLocker or Windows Defender Application Control (WDAC).
• Windows Defender Application Control (WDAC) — Defines exactly what code is permitted to run on a device. Unsigned or untrusted scripts fetched from remote URLs would be blocked outright before execution, regardless of how they arrived.

Recommendations

To reduce risk and align with security best practices:

• Do not reissue any device without a full wipe and OS reinstall. This is the only reliable remediation standard. Partial cleanup steps should not be treated as equivalent.
• Review devices and accounts connected to the original incident. Any user who may have interacted with the compromised environment should have their account and endpoint reviewed for signs of persistence or anomalous activity.
• Identify all devices that have changed hands in the past 12 months without a documented reimaging step and assess whether they require retrospective review.
• Create a mandatory device handover checklist that requires full reimaging, documented sign-off from IT security, and verification before any device is assigned to a new user — no exceptions.
• Limit unnecessary execution privileges for standard users where operationally feasible, reducing the impact of social engineering techniques that rely on users running commands themselves.

Partnering with experts in cybersecurity and device lifecycle management ensures secure device reissuance at scale.