FileFix Attack Advisory for Windows Server Environments
Kaustubh Sharma
Overview
The FileFix attack is a sophisticated social engineering technique that bypasses Windows' Mark-of-the-Web (MoTW) protections. It exploits how browsers handle saved HTML content, particularly when users save pages as “Webpage, Complete” or “Single File” formats. These saved files, when renamed to .HTA (HTML Application), evade MoTW tagging and execute embedded scripts via mshta.exe without any security warnings.
Technical Description
Attackers typically trick users into saving a phishing page as .HTA, use MIME types like text/html to avoid MoTW tagging, leverage mshta.exe to execute malicious JScript, and exploit hidden file extensions and misleading filenames to mask the threat.
Impact
Potential consequences include data breaches, privilege escalation, malware installation, and unauthorized access to sensitive systems. The attack relies heavily on user interaction and social engineering, making awareness and technical controls critical.
Recommended Actions
- Disable or restrict execution of mshta.exe using AppLocker or Windows Defender Application Control (WDAC)
- Block .HTA, .HTML, and .HTM attachments at the email gateway
- Ensure file extensions are visible in Windows Explorer to prevent disguised file execution
- Educate users on the risks of saving and renaming files from untrusted sources
- Monitor for suspicious execution of mshta.exe and PowerShell via endpoint detection and response (EDR) tools
- Upgrade unsupported Windows Server versions to 2016, 2019, or 2022
- Enable Safe Documents and disable click-through for malicious files in Office 365 environments
Potential Consequences of Recommended Actions
Recommendation | Potential Consequences |
|---|---|
Disable or restrict mshta.exe using AppLocker or WDAC | May break legacy applications or scripts that rely on .HTA files or mshta.exe. Requires thorough testing before deployment. |
Block .HTA, .HTML, and .HTM attachments at the email gateway | Could prevent legitimate business communications that include HTML content (e.g., newsletters, reports). May require whitelisting trusted sources. |
Ensure file extensions are visible in Windows Explorer | Slightly increases visual clutter for users. Some users may find it confusing if unfamiliar with file types. |
Educate users on risks of saving and renaming files | Requires time and resources for training. Effectiveness depends on user engagement and retention. |
Monitor suspicious execution of mshta.exe and PowerShell via EDR tools | May generate false positives, requiring tuning of detection rules. Increases workload for security teams. |
Upgrade unsupported Windows Server versions | Involves cost, planning, and potential downtime. Legacy applications may need updates or replacements. |
Subscribe to my newsletter
Read articles from Kaustubh Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by