Threat actors use social engineering to trick victims into saving and renaming files that later turn malicious. 

A newly discovered FileFix attack chain, identified by a security researcher, lets threat actors bypass Windows’ MoTW safeguards and execute harmful scripts. 

In a ClickFix attack, users are lured by a deceptive web-based error message and asked to complete a reCAPTCHA. This action silently copies malicious code to their clipboard, followed by instructions to run it via Windows Run prompt. 

Last year, GoDaddy reported a massive ClickFix outbreak affecting 6,000+ WordPress sites in just one day. Months later, over 100 car dealership websites were compromised in a supply chain attack involving a third-party domain. 

Security researcher "mr.d0x" recently disclosed a phishing technique that convinces users to copy a malicious PowerShell command, which Windows runs once it's pasted into File Explorer. 

This technique relies on social engineering to get users to save an HTML page as a .HTA file, which then runs embedded JScript via mshta.exe. 

Mr.d0x discovered a loophole where HTML files saved as “Webpage, Complete” bypass MoTW tagging, allowing scripts to execute without security prompts. 

As soon as the victim opens the .HTA file, the embedded malicious script is executed automatically. 

For attackers, the toughest part is using social engineering to deceive users into saving and renaming the webpage. 

Disabling mshta.exe, showing file extensions, and filtering out HTML email attachments can reduce risk. But the best defense still includes being cautious and maintaining strong cyber hygiene.