Microsoft Warns of DNS-Based ClickFix Attack Using Nslookup

Microsoft has disclosed a new variant of the ClickFix social engineering attack that abuses DNS and the Windows nslookup utility to deliver malware. Instead of relying on traditional web downloads, attackers trick victims into running DNS queries that retrieve encoded malicious payloads. The technique allows threat actors to bypass certain web filtering and monitoring controls by hiding traffic within normal DNS activity. In some cases, attackers used AI-generated content to make instructions appear legitimate. The campaign highlights evolving social engineering tactics combined with technical evasion methods.

When DNS Becomes a Delivery Service for Malware
If you thought DNS was just the internet’s polite way of finding websites, think again. Microsoft has revealed a new twist on the “ClickFix” scam — and this time it’s using DNS as a stealthy delivery mechanism for malware.

From Fake CAPTCHAs to Command Line Tricks
ClickFix attacks typically involve tricking users into running commands under the guise of fixing an issue — often a fake CAPTCHA or browser problem. The new variant takes things up a notch.
Instead of directing victims to download malware from a dodgy website, attackers instruct them to run nslookup commands. These DNS queries quietly fetch encoded malicious payloads disguised as normal DNS traffic.
Because DNS traffic is usually allowed through corporate firewalls without much scrutiny, this makes detection far trickier.

A Dash of AI
In some observed campaigns, attackers used generative AI platforms to post convincing troubleshooting steps online. The instructions appear helpful and legitimate — but they ultimately guide victims into executing the malicious DNS commands themselves.
It’s social engineering with a technical flourish.

Why This Matters
DNS is one of the most trusted components of network infrastructure. Abusing it as a covert channel allows attackers to:
• Bypass web filtering tools
• Evade traditional download detection
• Blend malicious traffic with normal network activity

How to Defend Against It
• Restrict command-line usage where possible
• Monitor DNS queries for anomalies
• Implement DNS filtering and logging
• Train staff to avoid running unsolicited commands
If someone tells you to run a command in the name of “fixing your internet”, pause. DNS should resolve websites — not your company’s security posture.