The technique, was devised by security researcher mr.d0x Last week, the researcher showed how the first FileFix method worked as an alternative to 'ClickFix' attacks by tricking users into pasting a disguised PowerShell command into the File Explorer address bar. A new FileFix attack allows executing malicious scripts while bypassing the Mark of the Web (MoTW) protection in Windows by exploiting how browsers handle saved HTML webpages. The researcher found that when HTML files are saved as "Webpage, Complete" (with MIME type text/html), they do not receive the MoTW tag, allowing script execution without warnings for the user. This Windows file type can be used to execute HTML and scripting content using the legitimate mshta.exe in the context of the current user. Although this require more interaction, if the malicious webpage looks genuine and the user doesn't have a deep understanding of file extensions and security warnings, they could still fall for it. Once they past it into File Explorer, Windows executes the PowerShell, making it a very subtle attack. Additionally, consider enabling file extension visibility on Windows and blocking HTML attachments on email. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The attack involves a phishing page to trick the victim into copying a malicious PowerShell command. An effective defense strategy against this variant of the FileFix attack is to disable or remove the 'mshta.exe' binary from your environment (found in C:\Windows\System32 and C:\Windows\SysWOW64). One way around this is by designing a more effective bait, such as malicious website prompting users to save multi-factor authentication (MFA) codes to maintain future access to a service.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 01 Jul 2025 16:40:24 +0000