Introduction
No legitimate site asks you to press Windows + R and paste commands. This post explains the risk and how to prevent it.
What it is
Fake verification pages mimic CAPTCHA or security checks. They tell users to press Windows + R, paste a command, and press Enter — executing code copied to the clipboard.
How the attack works
The page copies a command to the clipboard. When pasted into Run, it executes via CMD or PowerShell and often downloads malware, opens a reverse shell, or steals credentials.
Why it succeeds
It abuses trust and urgency. Users think Run is harmless, the page looks official, and many endpoints still allow local command execution.
Mitigations (technical level)
-
Remove local admin rights.
-
Limit local execution with least-privilege access.
-
Block unknown or unsigned scripts with AppLocker or similar.
User training
-
Never paste commands from webpages into Run, terminal, or PowerShell.
-
Communicate this rule via your normal channels (meeting, chat, email).