Cloud Security, Identity, Endpoint/Device Security

Bad actors abuse IE mode in Edge browser to hack into devices

Closeup of mobile phone screen with logo lettering of microsoft internet explorer browser on computer keyboard

(Adobe Stock)

Threat actors were recently observed abusing Internet Explorer (IE) mode within the Edge browser to gain access to unsuspecting users’ devices. 

In a blog post Oct. 8, Microsoft researchers said that the Edge security team found that threat actors leveraged basic social-engineering techniques alongside unpatched (zero-day) exploits in Internet Explorer’s JavaScript engine (Chakra) to gain access to victim devices in August.

According to the researchers, the attacker would first convince the victim to navigate to an official-looking spoofed website, then use a flyout on the page to ask the user to reload the page in IE mode. The attackers would then leverage a Chakra exploit to gain remote code execution. Finally, the attackers used a second exploit to elevate their privileges out of the browser to gain full control of the victim’s device.

John Carberry, solution sleuth at Xcape, Inc., said Microsoft's decision to restrict IE mode in Edge was a response to threat actors leveraging the feature as a covert entry point into corporate networks. Initially intended to help companies run older web applications, IE mode became a prime target.

“Attackers exploited its outdated rendering engines and compatibility settings to circumvent modern security measures,” said Carberry. “Microsoft reported credible incidents in August 2025 where unknown attackers used this method to gain unauthorized system access, prompting a major security update.”

David Matalon, chief executive officer at Venn, added that backward compatibility features like IE mode can unintentionally expand an organization’s attack surface. Even in modern browsers, Matalon said these legacy modes bypass security protections, putting all users – remote and on-site – at risk.

“Shrinking the attack surface means disabling or tightly controlling IE mode, educating employees about social engineering, and ensuring endpoint protections are actively monitoring for suspicious activity,” said Matalon. “The reality is that in today’s distributed, BYOD-heavy workforces, data often lives outside traditional perimeters. A layered approach – combining timely patching, endpoint controls, data isolation, and least-privilege access – is critical to limiting the blast radius when vulnerabilities inevitably emerge.”

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Antivirus SoftwareBasic AuthenticationBiometricsChallenge-Handshake Authentication Protocol (CHAP)Cloud ComputingDigest AuthenticationDigital CertificateDiscretionary Access Control (DAC)Ephemeral PortGreynet

You can skip this ad in 5 seconds