Human Risk Roundup: When the browser becomes the bait 

In this edition of the Human Risk Roundup, we explore how attackers are adapting to hardened technical defenses by shifting their focus to human behavior. A new phishing technique dubbed FileFix 2.0 demonstrates how something as ordinary as saving a file in your browser can be manipulated to install malware—no exploit chain required. Also, ransomware operators are doubling down on high-value targets and sensitive personal data to maximize impact. And new data reveals a broader trend: as browsers become harder to exploit directly, attackers are increasingly using them as a pathway to manipulate users instead. Read on for the latest tactics and what security leaders need to know to manage human risk. 

FileFix 2.0: A new phishing tactic exploits browser behavior 

A newly discovered phishing attack vector, dubbed FileFix 2.0 by security researcher mr.d0x, manipulates how modern browsers save HTML files to bypass key security mechanisms and trick users into downloading malicious content. This technique builds on the previously known ClickFix method, using social engineering to exploit user trust and browser behavior, enabling attackers to deliver malware through one-click phishing attacks. 

What happens 

Cybercriminals set up fake websites that mimic trusted platforms like Google or Microsoft, complete with realistic instructions and numbered codes to build trust. These sites encourage users to save the “backup codes” to their devices using “Ctrl+S” and to name the file with a “.hta” extension. 

Thinking they are safely storing important security information, users unknowingly download a malicious file capable of running harmful commands on their computers. To make the file appear legitimate, attackers manipulate its name or hide critical details, such as the file extension, to avoid raising suspicion. 

This attack also takes advantage of a browser quirk that skips a key Windows security feature called the Mark of the Web (MOTW). Without this safeguard, the malicious file can be executed without triggering warnings, making it seem safe to both users and security systems. 

Why it matters 

This attack highlights how attackers are exploiting browser behaviors and user trust to bypass traditional security mechanisms. By using the absence of MoTW metadata and manipulating file extensions, attackers can deliver malware without triggering standard security warnings. 

The FileFix 2.0 method is particularly dangerous because it combines technical evasion with social engineering, making it harder for both users and automated defenses to detect. The potential for widespread exploitation across consumer and enterprise environments underscores the need for proactive defenses. 

Practical tips for security leaders 

Use email and web security tools to block malicious attachments, scan links, and remove harmful content to stop phishing and malware threats. 

Educate users with awareness training to help them learn how to recognize phishing attempts. 

Use threat detection to identify and block malicious files or links before they reach users. 

Monitor suspicious activity in real-time to quickly detect and respond to phishing or malware campaigns. 

Read more in Bleeping Computer. 

Continued uptick in ransomware reveals new playbook 

Criminals are using ransomware-as-a-service (RaaS) to scale their operations and attack more organizations to demand money in exchange for hostage data. Recent incidents involving the Swiss government and Optima Tax Relief also underscore how bad actors are increasingly targeting third-party partners and high-value data to maximize their impact.  

What happened 

In Switzerland, the Sarcoma ransomware gang targeted Radix, a third-party organization managing health programs and online counseling services for the government. The attackers stole over 1.3 terabytes of data, including financial records, contracts, and communications, and leaked it on the dark web after ransom negotiations failed. While the Swiss government’s internal systems were not breached, platforms like SafeZone and StopSmoking, which offer anonymous counseling, were likely affected, raising concerns about privacy and the exposure of sensitive personal information. 

Another recent attack on Optima Tax Relief by the Chaos ransomware group also resulted in loss of personal and corporate data. This attack follows Chaos’s alleged breach of The Salvation Army earlier this year. Reports note that both Sarcoma and Chaos employ double-extortion tactics, encrypting systems while threatening to leak stolen data to pressure victims into paying. 

Why it matters 

The incidents highlight an evolution in tactics and targets among ransomware gangs. Crime groups like Sarcoma and Chaos are zeroing in on organizations that store highly sensitive, often immutable data—such as government records and personal counseling files—making extortion efforts more effective. Double extortion has become standard practice, with stolen data publicly leaked to increase pressure on victims. Social engineering tactics are often used as the initial entry point, exploiting human trust to gain access and set the stage for these sophisticated attacks.  

Practical tips for security leaders  

• Use email and web security tools to block malicious attachments, scan links, and remove harmful content to stop phishing and malware threats. 

• Educate users with awareness training to help them recognize phishing attempts and avoid risky behaviors. 

• Use URL rewriting and scanning to analyze links at the time of click and block malicious URLs, even in delayed or time-sensitive attacks. 

• Enable anti-phishing and impersonation protection to identify and block emails that mimic trusted brands or individuals, reducing the risk of social engineering. 

Read more about the attacks here. 

What to watch: Humans replace browsers as the new attack surface 

New reporting finds that while traditional browser exploits are declining, attackers are increasingly targeting users themselves—turning the browser into a launchpad for deception. In 2024, 70% of attacks began with a browser download, up from 58% the year before. Instead of exploiting vulnerabilities, attackers are hijacking legitimate browser functions, tricking users into installing malicious extensions or authorizing deceptive apps through trusted platforms like Google Chrome. As Dark Reading reports, it’s not about breaking the software anymore; it’s about breaking user trust. With the rise of remote work and cloud reliance, the user has become the new attack surface, making it critical to prioritize user education, awareness, and proactive defenses to stay ahead of these evolving threats. Human risk management is now a cornerstone of cybersecurity, focusing on equipping users with the knowledge and tools to identify and counter these evolving threats. 

                                                              Read the full story in Dark Reading.