Edgecution malicious Edge extension escapes the browser sandbox to plant a backdoor
Zscaler detailed Edgecution, a malicious Microsoft Edge extension used in ransomware-linked intrusions that abuses Chrome's native messaging feature, which normally lets extensions talk to desktop apps, to break out of the browser sandbox and run a Python backdoor on the host. The extension beacons to a command server and relays commands to the backdoor, giving attackers filesystem access and code execution, while running in a hidden headless browser to stay invisible. Attacks start with social engineering on Microsoft Teams, where the actor poses as IT support and directs employees to a fake "Outlook Updates" page. Researchers tie the activity to an access broker linked to the Payouts King ransomware operation.
- Check
- Review which browser extensions are installed across the organization and audit native messaging host registrations, and treat unsolicited Microsoft Teams messages from supposed IT support directing software installs as suspicious.
- Affected
- Organizations whose employees can install browser extensions and be reached by external Microsoft Teams messages; the technique escapes the browser sandbox to give attackers host-level access for ransomware staging.
- Fix
- Restrict browser extension installation through policy, control native messaging host configurations, lock down external Teams contact, and train staff to reject IT-support prompts pushing browser or software updates.