Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
July 4, 2025

Ctrl+S to Compromise: FileFix Just Made MoTW Useless Again

hi. ever saved a web page?
of course u did. Ctrl+S, “Webpage, Complete”, hit Enter, done.
innocent?
nope.

welcome to FileFix.
an exploit where saving a web page gives attackers the perfect entry — no exploits, no shellcode, just old-school HTML and Windows doing Windows things.

FileFix: the ‘save as’ that opens Pandora’s browser

the exploit comes from researcher mr.d0x — yeah, the same mind behind ClickFix, SearchApp ab00se, and one‑liners that make red teamers cry with joy.

the trick?
Windows assigns a Mark of the Web (MoTW) to files downloaded from the internet. that tag blocks dangerous stuff — scripts, macros, ActiveX.
but there’s a catch…

if the user saves the file manually as Webpage, Complete (.html) → MoTW doesn’t apply.

combine that with some JScript inside a disguised .HTA file, and boom — no warnings, no UAC, no detection.

how it works: in plain English (and some PowerShell)

  1. a phishing page lures the victim. looks like something they trust.
    maybe a site offering to save MFA backup codes 🤨

  2. it says: “hit Ctrl+S and save this page as MfaBackupCodes2025.hta”

  3. Windows saves it with MIME type text/html, but no MoTW

  4. user opens the .hta

  5. mshta.exe executes embedded JScript

  6. payload runs with user privileges — no prompt, no alert

  7. game over.

this variant doesn’t rely on any 0day. it relies on something worse:
users doing what they’re told.

why mshta.exe is the real villain here

mshta.exe is one of those old Windows binaries nobody asked for but everyone inherits.
it executes HTA (HTML Application) files with embedded script, like JScript or VBScript.

technically deprecated.
practically still there.
and still whitelisted in tons of environments.

located at:

  • C:\Windows\System32\mshta.exe

  • C:\Windows\SysWOW64\mshta.exe

Defender? often misses it.
AppLocker? only blocks it if explicitly set.
EDR? if it spawns PowerShell silently, might slip through.

the real genius: social engineering over 0day

this attack isn’t about exploits. it’s about user behavior:

“Save this page for future access to your security tokens.”
“Download MFA backup now to avoid loss.”

when a page looks like an internal portal, or a legit MFA page, most users won’t think twice.

no phishing links, no macro alerts, just Ctrl+S.
and they help you infect them.

how to break the attack chain

this one’s rough, but here’s what actually helps:

✅ remove mshta.exe
delete or rename it. it breaks legacy, but blocks this entirely.

✅ show file extensions
prevent .hta disguise like Report.pdf.hta

✅ block HTML attachments in email clients
yes, even .mhtml and .hta in M365 and Outlook

✅ enable Attack Surface Reduction rules
especially:

  • Block executable content from email/webmail

  • Use advanced protection against ransomware

✅ teach users to never rename files to .hta
(or better, disable .hta association entirely)

TL;DR: it’s 2025 and HTA files still kill networks

no RCE. no malware dropper. no LOLBin combo.
just HTML + user + trust + old Windows quirks.

FileFix is scary because it feels legit. it uses UI.
it asks users to do something that feels helpful.
but behind that? it’s mshta.exe, powershell, and privilege in plain sight.

watch your saves.
watch your scripts.
and maybe, just maybe — kill mshta before it kills you

Categories

ActiveDirectory AI Azure AzureAI azureidentity azureinfrastructure cloudarchitecture cloudnetworking CloudSecurity Copilot Cybersecurity DataProtection DataSecurity DevOps enterpriseai entraID Howto hybridcloud IncidentResponse Innovation insider licensing Microsoft Microsoft365 Microsoft AI MicrosoftAzure microsoftcloud Microsoft Product MS Entra MSteams NewRelease PrivacyRights ProductivityTools promptinjection sam Security software SoftwareUpdate TechNews Technology updates Windows Windows10 Windows11 zeroTrust

Archives

  • July 2025
  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • Entra RBAC Just Got a Power-Up: Here’s What You Actually Need to Know
  • Azure Virtual Networks: Your Cloud’s Digital Skynet
  • Ctrl+S to Compromise: FileFix Just Made MoTW Useless Again
  • Phishing Without a Password: How Attackers Hijacked Microsoft 365’s Direct Send
  • Zero-Days and Zero Mercy: Inside Houken’s Multi-Tool Mayhem
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!