initial_access_clickfix_phishing_via_browser_dialog_box.yml

name: Clickfix phishing via browser dialog box
id: 5fc4bf43-fbb6-4a78-a2cc-1fe9138bd3c2
version: 1.0.0
description: |
  Identifies a ClickFix-style social-engineering phishing attempt and its FileFix evolution
  where a web page coerces a user into interacting with a trusted File Explorer address bar so
  that a clipboard-pasted value executes a command on the host. Attackers use convincing browser
  lures (fake CAPTCHAs, shared-file prompts, account-suspension pages, etc.) to cause the browser
  to open a native dialog or explorer window and simultaneously place a malicious command
  on the clipboard. When the user pastes that content into the trusted UI it runs with
  their privileges, often bypassing Mark-Of-The-Web checks and many automated protections.
labels:
  tactic.id: TA0001
  tactic.name: Initial Access
  tactic.ref: https://attack.mitre.org/tactics/TA0001/
  technique.id: T1566
  technique.name: Phishing
  technique.ref: https://attack.mitre.org/techniques/T1566/
references:
  - https://thehackernews.com/2025/06/new-filefix-method-emerges-as-threat.html
  - https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix
  - https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/

condition: >
  spawn_process and ps.parent.name iin web_browser_binaries and
  (ps.name iin script_interpreters or ps.name iin ('msiexec.exe', 'rundll32.exe', 'curl.exe', 'wget.exe', 'certutil.exe', 'certreq.exe', 'msbuild.exe') or
   ps.exe imatches '?:\\Users\\*\\Downloads\\*') and
  thread.callstack.summary imatches 'ntdll.dll|*|windows.storage.dll|shell32.dll|windows.storage.dll|SHCore.dll|*'
action:
  - name: kill

output: >
  Process %ps.exe execution via potential Clickfix phishing browser dialog box
severity: high

min-engine-version: 3.0.0