A newly discovered phishing campaign dubbed “FileFix” is raising serious alarms in the cybersecurity community, building on the notorious ClickFix exploit to dupe users into installing a rogue browser extension. Discovered by Check Point Research, shows a disturbing evolution of social engineering tactics already being used in live attacks across multiple countries.
What is FileFix?
FileFix is a weaponized browser extension, deceptively packaged as a utility to “fix” or open documents that supposedly can’t be viewed due to file corruption or version mismatches.
Attackers initiate the scam by sending victims a fake email containing a link to an inaccessible file. Clicking the link redirects the user to a convincing phishing page that prompts them to install a browser extension – the FileFix add-on – under the guise of enabling document access.
But instead of fixing anything, the extension grants attackers capabilities enabling:
- Access to all websites visited by the victim
- Injection of arbitrary scripts into web sessions
- Credential theft and data exfiltration
- Browser hijacking and persistent surveillance
Built on ClickFix’s Blueprint – But More Dangerous
FileFix borrows it basic framework from ClickFix, a similar attack vector discovered earlier this year. ClickFix exploited the Chrome extension ecosystem to deliver an unauthorized code execution. But FileFix goes a step further: it uses updated localized phishing pages in multiple languages and targets specific demographics with tailored lures.
As Dray Agha, Senior Manager of Security Operations at Huntress, puts it:
“FileFix isn’t just a new attack, it’s the graduation and evolution of ClickFix. Where ClickFix abused the ‘Run’ dialog, FileFix weaponizes user trust in File Explorer itself. This mutation shows threat actors rapidly iterating to leverage foundational Windows workflows, making defences that much harder to deploy.”
In short, it’s not a crude, one-size-fits all scam; it’s a fine-tuned, weaponized campaign built to scale globally.
Key Characteristics of the FileFix Campaign
- Multilingual Phishing Pages: Victims see tailored prompts in their native language, increasing believability.
- Bypasses Traditional Security Tools: Since browser extension often request wide permissions, security solution, can struggle to flag malicious behavior early.
- No Exploits Needed: The attack relied purely on social engineering; no malware dropper, no payload, just user manipulation
Why it Works
Browser extensions remain a massive blind spot in enterprise and personal security postures. Most users install them without reading permission prompts, and browser vendors have done little to improve visibility or control over what extensions actually do once installed.
FileFix takes advantage of this to great effect:
- Victims believe they are resolving a technical issue
- Phishing pages mimic familiar productivity platforms like Microsoft Office, Adobe, or Google Docs
- Extension installation is framed as a standard troubleshooting step
Once the extension is active, the attacker gains control of the browser environment.
What Organizations Should Do Now
This isn’t just a consumer threat. Enterprises relying on browser-based workflows are vulnerable to FileFix-like attacks. IT teams need to respond fast by:
- Restricting Browser Extensions: Enforce policies that only allow whitelisted extensions.
- Deploying Browser Isolation Tools: Prevent extensions from accessing sensitive internal apps.
- Training Staff: Make sure users understand how phishing links and spoof file prompts work.
- Monitoring Browser Behavior: Look for anomalies such as unusual browser extension installs or strange traffic patterns.
- Using DNS and Web Filters: Block known phishing domains and dynamic extension installations.
The Bigger Picture: Social Engineering 2.0
FileFix is a sobering reminder that the cyber threat landscape is evolving at an alarming rate. As defenses improve, attackers are focusing what remains vulnerable: people.
And they’re getting better at it.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.