HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Malicious Edge Extension ‘Edgecution’ Uses Native Messaging to Bypass Browser Sandbox and Deploy Ransomware

A malicious Edge extension called Edgecution was delivered via a Teams‑based phishing campaign, leveraging Chrome’s Native Messaging to launch a Python backdoor and enable ransomware execution. The technique underscores gaps in access‑control policies and the importance of SOC 2‑aligned monitoring and awareness training.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Malicious Edge Extension ‘Edgecution’ Uses Native Messaging to Bypass Browser Sandbox and Deploy Ransomware

What Happened — A malicious Microsoft Edge extension named Edgecution was observed being delivered through a phishing campaign on Microsoft Teams. The extension abuses Chrome’s Native Messaging protocol to launch a local Python‑based backdoor, allowing the ransomware operator to escape the browser sandbox and execute malicious code on the host system.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates a failure of access‑control policies that should restrict native‑messaging interactions to vetted applications only – a core SOC 2 CC6.1 control.
  • Highlights the need for continuous monitoring of privileged browser extensions and evidence collection to prove that only approved software can communicate with the OS.
  • Shows how security‑awareness training (SOC 2 CC6.2) can mitigate social‑engineering vectors that trick users into installing rogue extensions.

Who Is Affected — Enterprises that rely on Microsoft Edge for web access, especially in technology/SaaS, financial services, healthcare, and government sectors where browser‑based workflows are common.

Recommended Actions

  • Inventory all installed browser extensions and enforce a whitelist; disable native‑messaging for any non‑approved extension.
  • Apply SOC 2‑aligned access‑control monitoring (e.g., log native‑messaging calls, schedule audits, retain evidence).
  • Reinforce phishing‑resistance training that covers “fake update” scenarios on collaboration platforms.
  • Validate that MFA is enforced for privileged accounts that could be leveraged after initial compromise.

Source: BleepingComputer

Technical Notes

  • Attack vector: Phishing via Microsoft Teams → fake “Outlook Updates Management Console” → malicious Edge extension → native‑messaging bridge → Python backdoor → ransomware deployment.
  • Tools used: AutoHotKey, Windows batch, PowerShell scripts; malformed ZIP archive containing Python 3.13.3, extension and native directories.
  • Data at risk: System credentials, potentially corporate files encrypted by ransomware.
📰 Original Source
https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →