In August 2025, Microsoft received credible intelligence that unknown threat actors were exploiting Internet Explorer (IE) mode within the Microsoft Edge browser to gain unauthorized access to user devices. IE mode is a backward compatibility feature allowing legacy web applications designed for IE to run within Edge. Attackers employed basic social engineering techniques to convince users to reload legitimate-looking websites in IE mode. Once reloaded, the attackers exploited unpatched zero-day vulnerabilities in IE's Chakra JavaScript engine to execute remote code within the browser context. Subsequently, a second exploit was used to escalate privileges beyond the browser sandbox, granting attackers full control over the victim's device. This attack chain effectively bypassed modern security features inherent to Chromium-based Edge by reverting to the less secure legacy IE engine. Post-compromise, adversaries could deploy malware, move laterally within networks, and exfiltrate sensitive data. Microsoft has responded by removing the IE mode toolbar button, context menu, and hamburger menu options, requiring users to explicitly enable IE mode per site via browser settings. This change aims to reduce inadvertent or malicious use of IE mode, balancing legacy support with security. Microsoft has not disclosed specific vulnerability details or the threat actor's identity, but the active exploitation risk prompted immediate mitigation steps. The threat highlights the risks of legacy compatibility features in modern browsers and the importance of minimizing their use.

For European organizations, this threat poses a significant risk particularly to those relying on legacy web applications that require IE mode for compatibility. Successful exploitation can lead to full device compromise, enabling attackers to deploy malware, conduct lateral movement within corporate networks, and exfiltrate sensitive data, thereby impacting confidentiality, integrity, and availability. Sectors such as government, finance, manufacturing, and critical infrastructure that often maintain legacy systems are especially vulnerable. The social engineering component increases the likelihood of successful attacks, as users may be tricked into enabling IE mode on malicious sites. The ability to bypass modern browser security controls undermines endpoint defenses and complicates detection and response efforts. This could result in operational disruption, data breaches, regulatory non-compliance (e.g., GDPR), and reputational damage. The threat also stresses the need for organizations to reassess their reliance on legacy technologies and accelerate modernization efforts.

1. Disable IE mode in Microsoft Edge by default and only enable it for specific, trusted legacy sites after thorough validation. 2. Implement strict policies controlling the use of IE mode, including whitelisting approved sites and monitoring IE mode usage via endpoint management tools. 3. Ensure all Windows and Microsoft Edge updates are applied promptly to incorporate any security patches related to IE mode and Chakra engine vulnerabilities. 4. Conduct user awareness training focused on recognizing social engineering tactics that attempt to manipulate users into enabling IE mode or visiting malicious sites. 5. Employ network-level protections such as web filtering and DNS security to block access to known malicious domains and phishing sites. 6. Utilize endpoint detection and response (EDR) solutions capable of detecting anomalous behavior associated with browser exploitation and privilege escalation. 7. Plan and accelerate migration away from legacy web applications requiring IE mode to modern, secure web technologies. 8. Regularly audit and review browser configurations and legacy feature usage to minimize attack surface. 9. Implement multi-factor authentication and least privilege principles to limit the impact of potential compromises. 10. Establish incident response procedures specific to browser-based exploits and privilege escalation scenarios.