Microsoft: Edge users beware — this malicious extension can break out of the sandbox and install ransomware

Malicious Edge Extension "Edgecution" Exploits Teams Phishing to Deploy Backdoor

Security researchers at Zscaler have identified a sophisticated cyberattack campaign dubbed "Edgecution", leveraging a malicious Microsoft Edge extension to establish a backdoor on targeted systems. The attack begins with Microsoft Teams phishing, where threat actors impersonate IT support, urging victims to install a fake "Outlook update" or "spam filter" via a fraudulent "Outlook Updates Management Console" website.

Victims are tricked into downloading a ZIP archive containing a Python-based backdoor and an embedded Python runtime. Upon execution, the archive creates a scheduled task that launches Edge in headless mode (invisible to the user) and installs the malicious extension, officially named "Edge Monitoring Agent" but referred to by Zscaler as "Edgecution."

The extension bypasses Edge’s sandbox by generating a Native Messaging manifest, enabling direct communication between the browser and the Python backdoor. This allows attackers to execute shell commands, PowerShell scripts, arbitrary Python code, write files, enumerate processes, and exfiltrate system data.

Zscaler attributes the campaign to Initial Access Brokers (IABs) with suspected ties to the ransomware group Payout Kings, highlighting the growing sophistication of access-for-sale operations. The attack demonstrates an innovative evasion technique, combining browser extensions with native host execution to avoid traditional endpoint detection.

Indicators of Compromise (IoCs) for the campaign have been published by Zscaler. The incident was first reported by BleepingComputer.

Source: https://www.techradar.com/pro/security/edge-users-beware-this-malicious-extension-can-break-out-of-the-sandbox-and-install-ransomware

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security

"id": "mic1782404840",
"linkid": "microsoft-security",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'type': 'Organizations using Microsoft Teams and '
                                'Edge'}],
 'attack_vector': 'Microsoft Teams Phishing, Malicious Edge Extension',
 'data_breach': {'data_exfiltration': 'Yes',
                 'sensitivity_of_data': 'Potentially sensitive system and '
                                        'operational data',
                 'type_of_data_compromised': 'System data, Process '
                                             'enumeration'},
 'description': 'Security researchers at Zscaler identified a sophisticated '
                "cyberattack campaign dubbed 'Edgecution,' leveraging a "
                'malicious Microsoft Edge extension to establish a backdoor on '
                'targeted systems. The attack begins with Microsoft Teams '
                'phishing, where threat actors impersonate IT support, urging '
                "victims to install a fake 'Outlook update' or 'spam filter' "
                "via a fraudulent 'Outlook Updates Management Console' "
                'website. Victims are tricked into downloading a ZIP archive '
                'containing a Python-based backdoor and an embedded Python '
                'runtime. Upon execution, the archive creates a scheduled task '
                'that launches Edge in headless mode and installs the '
                "malicious extension, 'Edge Monitoring Agent' (referred to as "
                "'Edgecution'). The extension bypasses Edge’s sandbox by "
                'generating a Native Messaging manifest, enabling direct '
                'communication between the browser and the Python backdoor, '
                'allowing attackers to execute shell commands, PowerShell '
                'scripts, arbitrary Python code, write files, enumerate '
                'processes, and exfiltrate system data.',
 'impact': {'data_compromised': 'System data exfiltration',
            'operational_impact': 'Unauthorized remote access, potential data '
                                  'exfiltration',
            'systems_affected': 'Systems with Microsoft Edge and Python '
                                'runtime'},
 'initial_access_broker': {'backdoors_established': 'Python-based backdoor, '
                                                    'Scheduled task, Native '
                                                    'Messaging manifest',
                           'entry_point': 'Microsoft Teams Phishing, Malicious '
                                          'Edge Extension'},
 'motivation': 'Initial Access for Sale, Potential Ransomware Deployment',
 'post_incident_analysis': {'root_causes': 'Social engineering, Lack of user '
                                           'awareness, Exploitation of browser '
                                           'extension mechanisms'},
 'references': [{'source': 'Zscaler'}, {'source': 'BleepingComputer'}],
 'response': {'third_party_assistance': 'Zscaler'},
 'threat_actor': 'Initial Access Brokers (IABs) with suspected ties to Payout '
                 'Kings ransomware group',
 'title': "Malicious Edge Extension 'Edgecution' Exploits Teams Phishing to "
          'Deploy Backdoor',
 'type': 'Phishing, Backdoor Deployment, Malicious Browser Extension',
 'vulnerability_exploited': 'Social Engineering, Native Messaging Manifest '
                            'Bypass'}

Microsoft: Edge users beware — this malicious extension can break out of the sandbox and install ransomware

Microsoft: Microsoft WinRE Vulnerability Allows Hackers to Bypass UEFI/BIOS Password Enforcement

OpenAI and Claude: Agentic Red-Team Tools Flaws Let Hackers Steal API Keys, Escape Sandboxes, and Compromise Hosts

curl project: curl Patches 18 Vulnerabilities Including Password Leak and WebSocket Memory Bugs