hi. ever saved a web page?
of course u did. Ctrl+S, “Webpage, Complete”, hit Enter, done.
innocent?
nope.
welcome to FileFix.
an exploit where saving a web page gives attackers the perfect entry — no exploits, no shellcode, just old-school HTML and Windows doing Windows things.
FileFix: the ‘save as’ that opens Pandora’s browser
the exploit comes from researcher mr.d0x — yeah, the same mind behind ClickFix, SearchApp ab00se, and one‑liners that make red teamers cry with joy.
the trick?
Windows assigns a Mark of the Web (MoTW) to files downloaded from the internet. that tag blocks dangerous stuff — scripts, macros, ActiveX.
but there’s a catch…
if the user saves the file manually as Webpage, Complete (.html) → MoTW doesn’t apply.
combine that with some JScript inside a disguised .HTA file, and boom — no warnings, no UAC, no detection.
how it works: in plain English (and some PowerShell)
-
a phishing page lures the victim. looks like something they trust.
maybe a site offering to save MFA backup codes 🤨 -
it says: “hit Ctrl+S and save this page as
MfaBackupCodes2025.hta” -
Windows saves it with MIME type
text/html, but no MoTW -
user opens the .hta
-
mshta.exe executes embedded JScript
-
payload runs with user privileges — no prompt, no alert
-
game over.
this variant doesn’t rely on any 0day. it relies on something worse:
users doing what they’re told.
why mshta.exe is the real villain here
mshta.exe is one of those old Windows binaries nobody asked for but everyone inherits.
it executes HTA (HTML Application) files with embedded script, like JScript or VBScript.
technically deprecated.
practically still there.
and still whitelisted in tons of environments.
located at:
-
C:\Windows\System32\mshta.exe -
C:\Windows\SysWOW64\mshta.exe
Defender? often misses it.
AppLocker? only blocks it if explicitly set.
EDR? if it spawns PowerShell silently, might slip through.
the real genius: social engineering over 0day
this attack isn’t about exploits. it’s about user behavior:
“Save this page for future access to your security tokens.”
“Download MFA backup now to avoid loss.”
when a page looks like an internal portal, or a legit MFA page, most users won’t think twice.
no phishing links, no macro alerts, just Ctrl+S.
and they help you infect them.
how to break the attack chain
this one’s rough, but here’s what actually helps:
✅ remove mshta.exe
delete or rename it. it breaks legacy, but blocks this entirely.
✅ show file extensions
prevent .hta disguise like Report.pdf.hta
✅ block HTML attachments in email clients
yes, even .mhtml and .hta in M365 and Outlook
✅ enable Attack Surface Reduction rules
especially:
-
Block executable content from email/webmail -
Use advanced protection against ransomware
✅ teach users to never rename files to .hta
(or better, disable .hta association entirely)
TL;DR: it’s 2025 and HTA files still kill networks
no RCE. no malware dropper. no LOLBin combo.
just HTML + user + trust + old Windows quirks.
FileFix is scary because it feels legit. it uses UI.
it asks users to do something that feels helpful.
but behind that? it’s mshta.exe, powershell, and privilege in plain sight.
watch your saves.
watch your scripts.
and maybe, just maybe — kill mshta before it kills you