Malicious Edge Extension ‘Edgecution’ Uses Native Messaging to Bypass Browser Sandbox and Deploy Ransomware
What Happened — A malicious Microsoft Edge extension named Edgecution was observed being delivered through a phishing campaign on Microsoft Teams. The extension abuses Chrome’s Native Messaging protocol to launch a local Python‑based backdoor, allowing the ransomware operator to escape the browser sandbox and execute malicious code on the host system.
Why It Matters for Compliance & Audit Readiness
- Demonstrates a failure of access‑control policies that should restrict native‑messaging interactions to vetted applications only – a core SOC 2 CC6.1 control.
- Highlights the need for continuous monitoring of privileged browser extensions and evidence collection to prove that only approved software can communicate with the OS.
- Shows how security‑awareness training (SOC 2 CC6.2) can mitigate social‑engineering vectors that trick users into installing rogue extensions.
Who Is Affected — Enterprises that rely on Microsoft Edge for web access, especially in technology/SaaS, financial services, healthcare, and government sectors where browser‑based workflows are common.
Recommended Actions
- Inventory all installed browser extensions and enforce a whitelist; disable native‑messaging for any non‑approved extension.
- Apply SOC 2‑aligned access‑control monitoring (e.g., log native‑messaging calls, schedule audits, retain evidence).
- Reinforce phishing‑resistance training that covers “fake update” scenarios on collaboration platforms.
- Validate that MFA is enforced for privileged accounts that could be leveraged after initial compromise.
Source: BleepingComputer
Technical Notes
- Attack vector: Phishing via Microsoft Teams → fake “Outlook Updates Management Console” → malicious Edge extension → native‑messaging bridge → Python backdoor → ransomware deployment.
- Tools used: AutoHotKey, Windows batch, PowerShell scripts; malformed ZIP archive containing Python 3.13.3, extension and native directories.
- Data at risk: System credentials, potentially corporate files encrypted by ransomware.