FileFix: A Dangerous Twist on ClickFix Phishing Attacks
A new phishing technique called FileFix is drawing attention across the cybersecurity world. Unveiled by researcher mr.d0x, the method builds upon the established ClickFix attack and introduces a novel way to execute malicious code—this time through the Windows File Explorer address bar.
Unlike browser-based ClickFix campaigns that require users to paste copied commands into PowerShell or terminal windows, FileFix uses a native and familiar Windows interface, making the attack feel less suspicious and more convincing to the average user.
How FileFix Works Through File Explorer
The FileFix method relies heavily on social engineering tactics to mislead users. It starts with a phishing page designed to look like a legitimate prompt—often framed as a system error or verification issue. Users are encouraged to upload a file as part of the process. However, the phishing page has been deliberately coded to intercept and block the file selection action. When a user attempts to upload a file, the system immediately clears the input, preventing any actual upload from taking place.
To maintain the illusion, an alert then appears, informing the user that the process failed due to incorrect steps and instructing them to try again. This time, however, the user is guided to copy a specific command and paste it directly into the Windows File Explorer address bar. Unlike more technical environments like PowerShell, the Explorer address bar feels familiar and unintimidating, reducing the likelihood of hesitation or suspicion.
Once the command is entered, it executes as if it were a file path, allowing the attacker to run malicious code seamlessly. This clever manipulation turns a basic Windows utility into a reliable entry point for malware without triggering immediate red flags.
Why FileFix Increases the Risk of Successful Exploits
In previous ClickFix campaigns, attackers often relied on pushing users toward PowerShell or terminal environments, where a user might hesitate. FileFix shifts that to File Explorer, which has lower friction and is familiar to almost everyone.
“I believe FileFix will soon be adopted by threat actors due to its simplicity and use of a well-known Windows utility,” said mr.d0x, speaking to BleepingComputer.
A Proven Track Record: ClickFix Campaigns Already in the Wild
ClickFix is not theoretical—it has already been used in real-world campaigns:
- State-sponsored hackers, including North Korea’s Kimsuky group, have used ClickFix in PDF-based attacks to trick victims into running PowerShell commands under the guise of security checks.
- Microsoft previously observed campaigns where attackers impersonated Booking.com to target hospitality industry workers with malware-laced ClickFix pages.
- The technique has even been adapted for Linux systems, prompting users to paste shell commands copied from malicious sites into Run dialogs.
These examples show how attackers weaponize trust and familiarity, using everyday actions—copy, paste, upload—to compromise entire systems.
Why FileFix Is More Concerning for Enterprises
The appeal of FileFix is its low technical barrier and reliance on standard Windows behavior. No downloads or exploit kits are required. That makes it highly attractive to cybercriminals looking to expand phishing campaigns quickly.
For enterprises, this introduces new risks:
- Even well-trained employees might fall for the ruse, especially if it mimics help desk processes.
- Endpoint security tools may not flag File Explorer actions as suspicious.
- The simplicity makes it easy to deploy in high-volume phishing campaigns.
Mitigation Measures Against ClickFix and FileFix
Organizations should immediately review and strengthen defenses against evolving phishing threats like FileFix. Key steps include:
- Training staff to never paste commands into unfamiliar interfaces, including File Explorer.
- Configuring security tools to monitor command execution paths, especially from non-standard entry points.
- Blocking clipboard-based and browser-initiated scripts that can pass commands to system components.
- Using endpoint detection and response (EDR) tools capable of detecting the misuse of legitimate utilities like File Explorer or PowerShell.
Security teams must now account for these tactics in user awareness programs, not just blocking malicious file attachments or fake login screens.
