FileFix: A Simple Social Engineering Trick That Launches PowerShell from the Browser

The goal of the FileFix attack is to get the victim to unknowingly execute a malicious command that looks like a regular file path.

What is FileFix?

FileFix is a social engineering technique that exploits how Windows handles file associations and URL protocols. It tricks users into executing PowerShell commands by making them appear as harmless file paths.

The Attack Vector

The attack works by crafting a URL that looks like a file path but actually executes a PowerShell command:

file://C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -Command "malicious code"

How It Works

1. The Bait: Attacker sends a link that appears to be a file path
2. The Click: User clicks the link thinking it will open a file
3. The Execution: Browser interprets the URL and launches PowerShell
4. The Payload: Malicious command executes in the background

Example Scenarios

Scenario 1: Email Phishing

Subject: Important Document Review
Body: Please review the attached document:
Link: file://C:/Users/Public/Documents/report.pdf

Scenario 2: Website Redirect

A compromised website redirects users to a FileFix URL, making it appear as if they're downloading a legitimate file.

Technical Details

The attack leverages:

• Windows file protocol handlers
• Browser URL interpretation
• PowerShell execution policy bypasses
• Social engineering principles

Detection

Look for:

• Unexpected PowerShell processes
• Browser-initiated PowerShell executions
• Suspicious file:// URLs in logs
• Unusual command-line arguments

Mitigation

• Disable file:// protocol in browsers
• Implement PowerShell execution policies
• Use application whitelisting
• Educate users about suspicious links
• Monitor for browser-to-PowerShell process chains

Conclusion

FileFix demonstrates how simple social engineering can bypass technical controls. Defense requires both technical controls and user awareness.