Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: browser-extension (1 article)Clear

Edgecution malicious Edge extension escapes the browser sandbox to plant a backdoor

Zscaler detailed Edgecution, a malicious Microsoft Edge extension used in ransomware-linked intrusions that abuses Chrome's native messaging feature, which normally lets extensions talk to desktop apps, to break out of the browser sandbox and run a Python backdoor on the host. The extension beacons to a command server and relays commands to the backdoor, giving attackers filesystem access and code execution, while running in a hidden headless browser to stay invisible. Attacks start with social engineering on Microsoft Teams, where the actor poses as IT support and directs employees to a fake "Outlook Updates" page. Researchers tie the activity to an access broker linked to the Payouts King ransomware operation.

Check
Review which browser extensions are installed across the organization and audit native messaging host registrations, and treat unsolicited Microsoft Teams messages from supposed IT support directing software installs as suspicious.
Affected
Organizations whose employees can install browser extensions and be reached by external Microsoft Teams messages; the technique escapes the browser sandbox to give attackers host-level access for ransomware staging.
Fix
Restrict browser extension installation through policy, control native messaging host configurations, lock down external Teams contact, and train staff to reject IT-support prompts pushing browser or software updates.