A device with an unresolved compromise history was handed over to a new employee without undergoing proper remediation or reimaging. While the original incident involved a browser-based social engineering attack where a user was manipulated into running a malicious command on their own machine, the broader issue here is not the attack technique itself.
It is the assumption that a previously used device is safe simply because the old user has left.
Without a verified, documented cleanup process, any device that changes hands carries unknown security risks into the hands of someone who has done nothing wrong.
A device previously involved in a ClickFix variant attack was handed over to a new employee without undergoing proper remediation or reimaging.
This issue is relevant to anyone involved in the device lifecycle.
Modern attack techniques do not always announce themselves. One increasingly common example is browser-based social engineering — where a user visits a compromised website and is presented with a convincing prompt instructing them to run a command on their own machine. The user does it willingly, believing it is legitimate.
There is no malicious email attachment, no suspicious download, and often no alert from endpoint protection tools. The result can be persistent malware, harvested credentials, or a backdoor that survives across reboots — all sitting quietly on the device long after the original user has moved on.
Why “Good Enough” Cleanup Is Not Enough
Deleting a user profile, resetting a password, or uninstalling a few applications does not constitute remediation. Threats that establish persistence do so in places that survive those actions — scheduled tasks, registry run keys, startup folders, browser data stores, and firmware in some advanced cases. A new employee logging into a device that has had a surface-level cleanup may unknowingly be sharing that machine with whatever was left behind.
This is why organizations invest in advanced data security services to detect, prevent, and eliminate persistent threats across devices.
ClickFix is a social engineering technique where a user visits a compromised or malicious website and is presented with a fake error or CAPTCHA prompt that instructs them to paste and run a command — usually in the Windows Run dialog or PowerShell. The user does it themselves, believing it is a legitimate fix.
A malicious PowerShell command was found embedded in both the device’s Scheduled Tasks and Registry run keys — two of the most common locations attackers use to ensure their foothold survives reboots and user profile changes.
The command was structured to run silently in the background, invisible to the end user under the registry key “Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU”:
The comment appended to the command — “I am not a robot – reCAPTCHA Verification Hash: 8348” — is a direct fingerprint of the ClickFix social engineering lure. It is the text the user was instructed to paste, disguised as a CAPTCHA verification step.
New Employee Risk — A new user on a compromised device may hand an attacker fresh credentials, clean network access, and a trusted identity from their very first day — through no fault of their own.
Persistence Survival — Many compromise techniques are specifically designed to survive standard IT cleanup procedures. Only a full, verified wipe and OS reinstall can be trusted to remove them reliably.
Silent Threat — Some implants leave no detectable signature. A device that appears clean to endpoint tools may still be actively compromised. Absence of alerts is not the same as absence of threat.
Governance and Liability — If a new employee is compromised through a device that was reissued without documented remediation, the accountability falls on the organization’s IT and security processes, not the user.
Microsoft’s ecosystem offers several controls that can directly reduce the likelihood and impact of this attack class across all managed devices.
These rules target the exact behavior observed in this incident and can be deployed at scale via Intune or Group Policy.
To reduce risk and align with security best practices:
Partnering with experts in cybersecurity and device lifecycle management ensures secure device reissuance at scale.