Saved “security code” — triggered a virus: the new FileFix scheme
Even a fake MFA page can be a trap.
A new method has been discovered in Windows that allows malicious scripts to be executed without any user warnings. The technique, known as FileFix, has been improved and now exploits a vulnerability in how browsers handle saved HTML pages.
The attack was presented by cybersecurity researcher mr.d0x, who had previously demonstrated the original version of FileFix. Back then, attackers used a phishing page to trick the victim into pasting a disguised PowerShell command into the Windows File Explorer address bar. Once pasted, the command would auto-execute, making the attack nearly invisible.
The new variant of FileFix is even more sophisticated. It allows the execution of a malicious script while bypassing the Mark of the Web (MoTW) — a security feature designed to block potentially dangerous files downloaded from the internet. In this attack, the attacker uses social engineering to convince the victim to save an HTML page using Ctrl+S and change the file extension to .HTA. These files are associated with the legacy but still supported HTML Applications (HTA) technology in Windows.
.HTA files are essentially HTML-based apps that are automatically run via the mshta.exe system component. This legitimate executable allows embedded scripts to run with the user’s privileges — making .HTA files an attractive tool for delivering malware.
As mr.d0x demonstrated, when an HTML page is saved using a browser as “Webpage, Complete” (MIME type text/html), it does not receive the MoTW security tag. Normally, MoTW is automatically added to files downloaded from the internet to alert users and block script execution. The absence of this tag allows attackers to bypass standard system protections.
Once the user renames the saved file (e.g., to MfaBackupCodes2025.hta) and opens it, the embedded malicious code is executed immediately and silently. In essence, the victim launches the malware themselves — completely unaware of the danger.
The most challenging part for attackers remains the social engineering phase — persuading the user to save the page and correctly change its extension. However, as mr.d0x notes, this can be overcome with a convincing fake page. For example, it might imitate an official website urging the user to save MFA backup codes for future account recovery. The page could include detailed instructions like pressing Ctrl+S, selecting “Webpage, Complete,” and naming the file with a .HTA extension.
If the page looks convincing enough, and the user lacks security knowledge or fails to notice the file extension, the likelihood of a successful attack increases significantly.
An example might be a phishing page titled “MFA Backup Codes,” prompting the user to save a file as MfaBackupCodes2025.hta. This approach is especially dangerous given the low technical awareness of many users.
To protect against such attacks, experts recommend disabling or deleting the mshta.exe executable, located in C:\Windows\System32 and C:\Windows\SysWOW64. This component is rarely used and can be safely disabled in most cases.
Additionally, users should enable file extension visibility in Windows settings to prevent format spoofing. It’s also advisable to block HTML attachments in emails and exercise caution when saving files from untrusted sources.
