A new ClickFix phishing campaign is abusing Microsoft SharePoint to deliver the Havoc post-exploitation framework — hiding command-and-control traffic inside legitimate cloud API calls so it blends with normal corporate traffic. HN58 also covers the UAE financial sector’s ransomware surge, where 19 threat groups are actively targeting banks and the exposed attack surface jumped from 155,000 to 223,000 vulnerable assets in one year.
Stories Covered
ClickFix Phishing Deploys Havoc C2 Through SharePoint
Fortinet FortiGuard Labs documented a phishing campaign that sends emails with an attached HTML file posing as a restricted notice. When the victim opens it, the page displays a fake OneDrive DNS error and prompts them to “fix it manually” by clicking a button — which silently copies a malicious PowerShell command to their clipboard. The victim is then instructed to paste it into a command prompt, triggering a multi-stage infection chain.
The script first runs an anti-sandbox check: it queries how many computers are joined to the Windows domain and exits if the count is too low (indicating a researcher’s isolated VM rather than a real corporate network). If the check passes, it writes a registry key for persistence, installs Python if not already present, downloads a Python script from SharePoint, and uses that script to deploy the Havoc command-and-control framework.
The stealth angle is the most interesting part: Havoc is configured to communicate exclusively through Microsoft’s Graph API — specifically the SharePoint file APIs — so all C2 traffic looks like ordinary SharePoint uploads and downloads. In an environment that already uses SharePoint heavily, this traffic is functionally invisible without deep behavioral analysis. Havoc itself is open-source (similar in purpose to Cobalt Strike) and available on GitHub, meaning attackers do not need to build their own tooling.
ClickFix works precisely because it exploits human instinct: if a website tells a non-technical user there’s a DNS error and they need to paste something to fix it, many will comply. The defense is user education — any instruction to paste a command into a terminal, from any source, should be treated as suspicious and escalated rather than executed.
UAE Financial Sector: 19 Ransomware Groups, 223,000 Exposed Assets
Following their annual Cyber Wargaming 2025 exercise, UAE banking officials released a threat picture that is sharply worse than 2023. The number of ransomware groups actively targeting UAE organizations grew from 12 to 19, with RansomHub and LockBit most active. The financial sector accounts for 21% of all cybersecurity incidents in the region — second only to government systems — and the total exposed attack surface grew from 155,000 to 223,000 vulnerable assets in a single year.
A third of exposed systems were still running with a year-old OpenSSH vulnerability (CVE-2023-38408) at the time of assessment. Known CVEs with published proof-of-concept exploits are low-effort targets: anyone with basic scripting knowledge can automate scans against them using tools like Shodan. An unpatched device in the corner of the network is an open door regardless of how hardened everything else is — once inside, lateral movement and traffic blending (as the SharePoint campaign above demonstrates) can make detection very difficult.
The UAE has pledged $2 billion toward cybersecurity and digital transformation. Tabletop exercises and wargaming are the right instinct — you cannot know where you are actually vulnerable until someone qualified tries to break in. The alternative, security through obscurity, consistently fails.
Leave a Reply