Executive Summary

In recent months, Microsoft has enacted emergency restrictions on the legacy IE Mode feature within the Microsoft Edge browser after threat actors weaponized this compatibility layer as a covert backdoor. Attackers exploited unpatched vulnerabilities in the Chakra JavaScript engine—the core of legacy Internet Explorer—to achieve remote code execution (RCE) and privilege escalation, bypassing modern browser security controls. The exploitation chain was initiated through sophisticated social engineering, luring users to malicious sites that triggered IE Mode, thereby exposing the underlying, outdated codebase. In response, Microsoft has removed easy-access IE Mode activation for non-commercial users, now requiring explicit, site-by-site enablement. This advisory provides a technical breakdown of the attack, threat actor tactics, observed victimology, and actionable mitigation strategies for organizations still reliant on legacy web applications.

Threat Actor Profile

The threat actors behind the exploitation of IE Mode have not been publicly attributed to a specific Advanced Persistent Threat (APT) group or nation-state. However, the attack demonstrates a high degree of technical sophistication, combining zero-day exploitation with advanced social engineering. The adversaries possess deep knowledge of both legacy and modern browser architectures, specifically targeting the intersection where backward compatibility introduces systemic risk. Their operational objectives appear to be broad, focusing on initial access and persistent compromise rather than immediate financial gain or targeted espionage. The campaign’s opportunistic nature, targeting any organization with legacy dependencies, suggests a well-resourced group capable of rapid exploit development and deployment.

Technical Analysis of Malware/TTPs

The attack chain begins with a user being enticed—typically via phishing emails or malicious links—to visit a website masquerading as a legitimate business or government portal. Upon visiting, the site prompts the user to reload the page in IE Mode. This is achieved through a crafted interface element or browser flyout, exploiting user trust and lack of awareness regarding the risks of legacy compatibility features.

Once IE Mode is activated, the attacker leverages a zero-day vulnerability in the Chakra JavaScript engine. This vulnerability allows for remote code execution within the context of the browser process. The exploit payload is delivered via obfuscated JavaScript, which, when parsed by the vulnerable engine, results in arbitrary code execution. The initial shellcode establishes a foothold, often by spawning a child process or injecting into a trusted system process.

A secondary, undisclosed vulnerability is then exploited to escape the browser sandbox, elevating privileges to SYSTEM or administrative level. This enables the attacker to disable endpoint security controls, establish persistence, and move laterally within the network. Post-exploitation activities include the deployment of custom malware, credential harvesting, and exfiltration of sensitive data via encrypted command-and-control (C2) channels.

Technical indicators observed in the wild include anomalous invocations of msedge.exe with IE Mode parameters, unexpected child processes, and outbound connections to attacker-controlled infrastructure immediately following an IE Mode session. The attack chain is notable for its ability to bypass modern browser security boundaries by exploiting the legacy code path exposed by IE Mode.

Exploitation in the Wild

The exploitation of IE Mode was first observed in August 2025, with reports surfacing from multiple security vendors and threat intelligence platforms. Attackers targeted users in organizations with known dependencies on legacy web applications, particularly in sectors such as government, finance, and healthcare. The attack was not limited to a specific geographic region, indicating a global campaign.

Victims reported being redirected to spoofed portals that closely mimicked legitimate business or government websites. These portals contained prompts or banners instructing users to enable IE Mode for "full functionality" or "compatibility reasons." Once IE Mode was engaged, the exploit chain was executed, resulting in full device compromise.

No public proof-of-concept (PoC) code or exploit samples have been released, and Microsoft has not assigned CVE identifiers to the vulnerabilities as of this advisory. The lack of public technical details suggests that the vulnerabilities remain unpatched and are being closely guarded by both the vendor and the threat actors.

Victimology and Targeting

The primary victims of this campaign are organizations and users who continue to rely on legacy web applications that require IE Mode for compatibility. This includes sectors such as government, financial services, healthcare, and manufacturing, where critical business processes are still tied to outdated web technologies. The attack is opportunistic, exploiting any environment where IE Mode is enabled and user awareness of the associated risks is low.

No specific countries have been singled out in public reporting, but the global nature of Microsoft Edge deployments and the widespread use of legacy applications suggest a broad victim pool. The attackers have demonstrated an ability to rapidly identify and target organizations with exposed IE Mode functionality, leveraging open-source intelligence and automated scanning tools.

Mitigation and Countermeasures

Microsoft has responded by significantly restricting access to IE Mode for non-commercial users. The following mitigation steps are recommended:

Organizations should audit all usage of IE Mode within their environment, identifying which applications and users require this feature. IE Mode should be restricted to only those legacy applications that are absolutely essential for business operations. All other access should be disabled via group policy or browser configuration.

IE Mode activation should now be managed through explicit site-by-site allowlists, configured in Microsoft Edge under Settings > Default Browser > Allow, with manual page definition. The previous toolbar button, context menu, and hamburger menu options for enabling IE Mode have been removed for non-commercial users.

Security teams should monitor for suspicious prompts or requests to reload pages in IE Mode, as well as anomalous process activity involving msedge.exe and its child processes. Network logs should be reviewed for outbound connections to known malicious infrastructure following IE Mode sessions.

Organizations are strongly urged to accelerate the migration away from legacy IE-dependent applications to modern, secure web platforms. Where migration is not immediately possible, additional endpoint monitoring and network segmentation should be implemented to contain potential compromise.

Finally, user awareness training should be updated to include the risks associated with legacy browser features and the specific social engineering tactics observed in this campaign.

References

BleepingComputer: Microsoft restricts IE mode access in Edge after zero-day attacks https://www.bleepingcomputer.com/news/security/microsoft-restricts-ie-mode-access-in-edge-after-zero-day-attacks/

Security Affairs: Microsoft revamps Internet Explorer Mode in Edge after August attacks https://securityaffairs.com/183333/security/microsoft-revamps-internet-explorer-mode-in-edge-after-august-attacks.html

PCMag: Microsoft Tightens IE Mode After Hackers Exploit Internet Explorer Bugs https://www.pcmag.com/news/microsoft-tightens-ie-mode-after-hackers-exploit-internet-explorer-bugs

The Hacker News (X/Twitter) https://x.com/TheHackersNews/status/1977674573350092947

Microsoft Edge Security Team Advisory (quoted in media) https://www.linkedin.com/posts/the-cyber-security-hub_microsoft-locks-down-ie-mode-after-hackers-activity-7383468634829955073-N2uX

eSecurity Planet: Legacy IE Mode in Edge Opens Door to Hackers https://www.esecurityplanet.com/threats/legacy-ie-mode-in-edge-opens-door-to-hackers/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their entire digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, streamline vendor assessments, and ensure compliance with evolving regulatory requirements. For more information about how Rescana can help your organization strengthen its cyber resilience, please contact us at ops@rescana.com. We are happy to answer any questions.