FileFix Attack Exploits Windows Browser Features to Bypass Mark-of-the-Web Protection

A sophisticated new variation of cyberattacks emerged in July 2025, exploiting a critical vulnerability in how Chrome and Microsoft Edge handle webpage saving functionality.

The attack, dubbed “FileFix 2.0,” bypasses Windows’ Mark of the Web (MOTW) security feature by leveraging legitimate browser saving mechanisms combined with HTML Application (HTA) execution.

The discovery comes amid a dramatic surge in social engineering attacks this year.

According to the latest ESET Threat Report, ClickFix attacks, the predecessor to FileFix, skyrocketed by 517% in the first half of 2025, becoming the second most common attack vector after phishing and accounting for nearly 8% of all blocked attacks.

This explosive growth demonstrates a growing reliance by threat actors on psychological manipulation rather than purely technical exploits.

The new attack variant exploits a previously unknown behavior in Chrome and Microsoft Edge browsers.

When users save webpages using Ctrl+S with “Webpage, Single File” or “Webpage, Complete” formats selected, files with HTML or XHTML+XML MIME types are saved without MOTW protection, the Windows security feature that warns users about potentially dangerous files from the internet.

Cybersecurity researcher mr.d0x, who first documented the original FileFix attack, has now revealed this more insidious variation that combines browser functionality with HTML Applications (HTA) files.

Unlike traditional malware delivery methods, this technique doesn’t require victims to disable security features or ignore warning messages.

Social Engineering Through Fake Backup Codes

The attack’s social engineering component is particularly clever. Threat actors create legitimate-looking websites that mimic popular online services, displaying what appears to be multi-factor authentication backup codes.

The pages instruct users to save the codes locally using Ctrl+S, specifically naming the file with a “.hta” extension for “proper storage”.

The deceptive interface presents familiar elements styled to resemble Google or Microsoft authentication pages, complete with numbered backup codes and professional instructions.

Victims, believing they’re securely storing necessary security credentials, unknowingly download and execute malicious HTML Applications that can run arbitrary commands on their systems.

MOTW traditionally serves as Windows’ first line of defense against internet-downloaded threats. When files carry this mark, Windows displays security warnings or blocks execution entirely.

However, the FileFix 2.0 technique circumvents this protection through legitimate browser behavior. The vulnerability stems from browsers’ handling of specific MIME types during the save operation.

While most file types receive MOTW protection, HTML and XHTML+XML content saved through browser “Save As” functionality bypasses this security measure entirely. This creates an execution pathway that appears legitimate to both security software and users.

HTA Files: A Persistent Attack Vector

HTML Applications represent a legacy Windows feature that continues to pose security risks in 2025.

These files execute with full system privileges, essentially functioning as desktop applications while maintaining HTML-based interfaces. Despite their age, HTA files remain supported across all Windows versions, including Windows 11.

Recent cybersecurity research indicates renewed interest in HTA-based attacks among threat actors.

The Hancitor malware family and various nation-state groups have incorporated HTA files into their attack chains, leveraging the format’s ability to execute PowerShell commands, download additional payloads, and establish persistent access to compromised systems.

The attack methodology extends beyond traditional webpage saving. Researchers have demonstrated that Data URIs containing HTML content with text/html MIME types also bypass MOTW protection when saved through browsers.

This technique allows attackers to embed malicious content directly within URLs, creating self-contained attack vectors that require no external hosting infrastructure.

The FileFix family represents part of a broader evolution in social engineering tactics. The original ClickFix technique, which tricks users into executing malicious PowerShell commands disguised as troubleshooting steps, has spawned numerous variants targeting different operating systems and attack scenarios.

Security researchers note that ClickFix builders tools that automate the creation of these attacks are now actively sold in cybercriminal marketplaces.

This commoditization has lowered the barrier to entry for less technically sophisticated threat actors while increasing the overall volume of attacks.

Cybersecurity professionals recommend several immediate defensive actions. Organizations should consider removing or restricting the mshta.exe executable that processes HTA files, though this may impact legitimate business applications that rely on HTML Applications.

Additional protective measures include implementing application whitelisting, enhancing user education about social engineering tactics, and deploying endpoint detection systems capable of identifying suspicious HTA execution patterns.

FileFix 2.0 represents a concerning evolution in social engineering attacks, demonstrating how threat actors continue to find novel ways to bypass security controls through creative exploitation of legitimate system features.

As the cybersecurity community grapples with AI-enhanced threats and increasingly sophisticated social engineering campaigns, this discovery underscores the critical importance of defense-in-depth strategies that address both technical vulnerabilities and human factors in cybersecurity.

The intersection of legitimate browser functionality with malicious intent creates attack vectors that challenge traditional security assumptions and require adaptive defensive approaches.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now