If you have seen a fake CAPTCHA asking you to “verify you are human” by pressing Windows+R and pasting a command, you have met ClickFix. It is the social engineering technique behind some of the most active phishing campaigns running right now — and as Microsoft warned in its hospitality threat report, Australian hotels and accommodation providers are squarely in the crosshairs.

The attack starts with an email that looks legitimate, often impersonating Booking.com, a payment processor, or internal IT. Staff click through to a page that looks broken: a fake CAPTCHA, a fake error, a fake Blue Screen. The page tells them to press Windows+R, paste a command (which the page has silently put on their clipboard), and hit Enter. That command downloads malware — typically a remote access trojan or an info-stealer. The user thinks they have fixed something. They have actually handed an attacker the keys to the workstation. Microsoft tracks the criminal group running the campaign as Storm-1865, and they specifically target hotel front-desk and reservations staff who are used to fielding urgent booking emails all day.

For Australian hospitality businesses, the practical mitigation is staff training plus platform controls. Make sure front-desk, admin, and finance staff know that no legitimate website will ever ask them to paste a command into Windows Run. Where possible, restrict the Run dialog (Win+R) and PowerShell for non-admin users via Group Policy, and move to a managed endpoint that uses behaviour-based detection rather than relying on signature antivirus alone. The reason ClickFix works is that it sidesteps email filters by getting the victim to run the malware themselves — so the human layer is where you need to be strongest.

Our hospitality IT services team and team cyber safety training can lock this down at both the technical and the human layer if you are not sure where you stand.