A sophisticated attack campaign involving a malicious Microsoft Edge extension, dubbed 'Edgecution', highlights the critical risks associated with browser extensibility. In a recent encryption-based cyber incident, threat actors leveraged this extension to escape the browser's security sandbox, establishing a bridge to the underlying operating system. By abusing the Native Messaging framework, the attackers successfully deployed a Python-based unauthorized access mechanism, effectively turning the user's browser into a command-and-control gateway. For defenders, this signals an urgent need to move beyond traditional web-filtering and scrutinize browser-to-host interactions.
Technical Analysis
Affected Products & Platforms
- Product: Microsoft Edge (Chromium-based)
- Platform: Windows (primarily, given the Native Messaging and Python context)
- Component: Native Messaging Host API
The Attack Vector: Native Messaging Abuse Microsoft Edge, like other Chromium-based browsers, supports the Native Messaging API. This feature allows extensions to exchange messages with registered native applications on the host OS. While legitimate for password managers or accessibility tools, it provides a viable avenue for sandbox escape if an extension is compromised or maliciously installed.
In the 'Edgecution' incident, the attack chain proceeded as follows:
- Initial Access: The malicious Edge extension is installed (potentially via social engineering or a compromised update).
- Bridge Establishment: The extension's manifest file declares permission to use the Native Messaging API.
- Sandbox Escape: The extension triggers a message to a specific "Native Messaging Host" registered in the Windows Registry. This host points to a malicious payload.
- Execution: The host application executes a Python script outside the browser sandbox, providing the attacker with full system capabilities, including file access, process creation, and network lateral movement.
Exploitation Status Active exploitation has been confirmed in a live encryption-based incident. This is not theoretical; the capability is being used in the wild to deploy persistent access mechanisms.
Detection & Response
Given the stealthy nature of this attack—relying on legitimate browser features to spawn arbitrary processes—detection requires correlating process lineage and registry modifications.
Sigma Rules
---
title: Edgecution - Edge Browser Spawning Python Process
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Microsoft Edge spawning a Python process, indicative of potential Native Messaging abuse or script-based execution from the browser.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.006
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\msedge.exe'
Image|endswith:
- '\python.exe'
- '\pythonw.exe'
condition: selection
falsepositives:
- Legitimate developers using browser-based IDE tools
- Administrative scripts triggered via internal portals
level: high
---
title: Edgecution - Native Messaging Host Registry Modification
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the creation or modification of Native Messaging Host registry keys for Microsoft Edge, often used to establish persistence or escape the sandbox.
references:
- https://attack.mitre.org/techniques/T1547/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.persistence
- attack.t1547.015
logsource:
category: registry_create
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Edge\NativeMessagingHosts\'
- '\Software\Policies\Microsoft\Edge\NativeMessagingBlocklist\'
- '\Software\Policies\Microsoft\Edge\NativeMessagingWhitelist\'
condition: selection
falsepositives:
- Legitimate software installation (e.g., LastPass, 1Password)
level: medium
**KQL (Microsoft Sentinel / Defender)**
// Hunt for Edge spawning suspicious child processes (Python, CMD, PowerShell)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "msedge.exe"
| where FileName in~ ("python.exe", "pythonw.exe", "cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, SHA256
| extend RiskScore = iff(FileName =~ "python.exe", "High", "Medium")
**Velociraptor VQL**
-- Hunt for Edge process lineage indicating Native Messaging abuse
SELECT Pid, Name, Exe, CommandLine, Username, Parent.Pid as ParentPid, Parent.Name as ParentName
FROM pslist()
WHERE Name =~ "python"
AND Parent.Name =~ "msedge"
**Remediation Script (PowerShell)**
<#
.SYNOPSIS
Audit Microsoft Edge Native Messaging Hosts for suspicious entries.
.DESCRIPTION
Checks Registry paths for Native Messaging Hosts and outputs the configuration details.
#>
$RegPaths = @(
"HKCU:\Software\Microsoft\Edge\NativeMessagingHosts",
"HKLM:\Software\Microsoft\Edge\NativeMessagingHosts",
"HKCU:\Software\Policies\Microsoft\Edge",
"HKLM:\Software\Policies\Microsoft\Edge"
)
Write-Host "[+] Auditing Edge Native Messaging Hosts..." -ForegroundColor Cyan
foreach ($Path in $RegPaths) {
if (Test-Path $Path) {
Write-Host "Checking path: $Path" -ForegroundColor Yellow
$Hosts = Get-ChildItem -Path $Path -ErrorAction SilentlyContinue
foreach ($Host in $Hosts) {
$HostKey = Get-ItemProperty -Path $Host.PSPath -ErrorAction SilentlyContinue
if ($HostKey) {
# Get the default value which usually contains the path to the manifest JSON
$ManifestPath = (Get-Item $Host.PSPath).GetValue("")
Write-Host " FOUND Host: $($Host.Name)" -ForegroundColor Red
Write-Host " Manifest Path: $ManifestPath"
# If manifest path exists, check the target executable inside it
if ($ManifestPath -and (Test-Path $ManifestPath)) {
try {
$ManifestContent = Get-Content $ManifestPath -Raw | ConvertFrom-Json
Write-Host " Target Executable: $($ManifestContent.path)"
} catch {
Write-Host " [ERROR] Could not parse manifest JSON."
}
}
}
}
}
}
Write-Host "[+] Audit Complete. Review any 'python.exe' or unknown paths." -ForegroundColor Green
Remediation
To mitigate the 'Edgecution' threat and similar Native Messaging abuses:
- Audit Extensions: Enforce a policy where users cannot install extensions without admin approval. Review currently installed extensions in the enterprise environment.
- Restrict Native Messaging: Use Group Policy to control Native Messaging.
- Policy Path:
Computer Configuration > Administrative Templates > Microsoft Edge > Content settings > Native Messaging user level - Configure a whitelist of allowed Native Messaging hosts if the business functionality requires it, or block it entirely if unused.
- Policy Path:
- Registry Review: Manually inspect
HKEY_CURRENT_USER\Software\Microsoft\Edge\NativeMessagingHostsandHKEY_LOCAL_MACHINE\Software\Microsoft\Edge\NativeMessagingHosts. Remove any keys referencing unknown or suspicious executables (especially Python scripts located in temporary or user profile directories). - Network Controls: Monitor for anomalous outbound traffic originating from
msedge.exethat does not match standard web browsing patterns (e.g., persistent TCP connections to non-standard ports).
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.