How does Push detect attacks like ClickFix and FileFix?
An increasingly common form of browser-based attack tricks users into running malicious scripts on their devices — often in the guise of a CAPTCHA or a message prompting them to “fix an error on this webpage.” These attacks are known by names such as ClickFix, FileFix, or fake CAPTCHAs.
Push provides Malicious copy and paste detection to identify these kinds of attacks. It works by looking for indicators of suspicious payloads being copied onto a user’s clipboard.
Detections will appear on the Detections page of the Push admin console and include a timeline of events, a detection URL, optional screenshot and additional enrichment about a detected domain, if available.

Malicious copy and paste detection is in Monitor mode by default. You can create a rule for the control on the Controls page to exclude certain employees or employee groups, if desired. To create an exception group, select Add rule and set the Mode to Off, then select which individuals or employee groups should be excluded from the detection.
Push recommends creating an exception rule for employees who regularly deal with malicious payloads, such as SOC staff.
