Documenting how ClickArmor evolves, what it catches, and why.
This blog is where ClickArmor detection work gets published in public: evasion techniques, payload analysis, release notes, architectural changes, and writeups on the browser-native attack patterns we keep seeing in the wild.
ClickArmor v1.2.7 — Full LOLBAS Coverage, Remote Rules, and Iframe Evasion Detection
ClickArmor v1.2.7 ships 185 LOLBAS detection rules, remote rule delivery, and detection for Cloudflare impersonation ClickFix attacks delivered via same-origin and cross-origin iframes.
Read articleEngineering ClickArmor — From 2,099 Payloads to 56,000 Phishing URLs
The engineering story behind ClickArmor’s detection engine, validation pipeline, and the techniques that shaped the product.
Read articlePlatform-Hosted Phishing — Detecting Credential Theft on Domains Your Security Stack Trusts
Why phishing on Google Forms, Google Sites, WordPress, Weebly, and other trusted platforms needs brand-aware detection instead of simple domain trust.
Read articleObfuscated Script Loaders — Detecting ClickFix Payloads That Don't Exist Yet
How ClickArmor identifies loader behavior, staged execution, and obfuscated clipboard delivery before the final payload is even present in the page.
Read articledocument.write() Survival — Keeping Detection Alive After DOM Nukes
A look at the browser attack pattern that wipes the page mid-load and the design changes needed to keep detection logic alive through it.
Read articleCyrillic Homoglyph Evasion — Invisible Characters That Bypass Page Analysis
How homoglyph substitution can hide malicious instructions in plain sight and why normalization became necessary inside ClickArmor’s analysis pipeline.
Read articleEm Dash Evasion — How ClickFix Attackers Exploit PowerShell's Unicode Tolerance
A ClickFix payload used an em dash and quote fragmentation to bypass regex detection. Here’s how ClickArmor added normalization to counter it.
Read articlenslookup DNS Staging — Detecting the ClickFix Technique Microsoft Disclosed
Why DNS-based staging matters, what made this ClickFix variant notable, and how the detection logic was adapted to catch it reliably.
Read article