Amid the official “retirement” of Internet Explorer (IE), a new sophisticated cyberattack campaign suddenly exploited the very IE Mode feature in Microsoft Edge, which was created to help users access older websites.
This sophisticated campaign appeared in August 2025 taking advantage of the Internet Explorer (IE) mode feature in Microsoft Edge. Essentially, the attacker does not hit the modern Chrome/Edge directly, but lures the victim to switch pages to IE mode (old, insecure environment), then activates the zero – day error in Chakra (IE’s JavaScript execution machine) to gain control, indicating that hackers are increasingly creative when it comes to turning a seemingly harmless compatible tool into a powerful attack weapon.
How did the hacker take advantage of the IE Mode?
Step 1: Create psychological trap, luring the user into IE Mode
The first hackers created fake websites that looked identical to the authentic ones, such as public service portals, corporate software, or security camera sites, which often required IE for accurate display.
When a user logs in, a flyout notification will appear, asking them to “download the page in Internet Explorer mode for better compatibility”.
This seemingly harmless move caused the browser to transition from Edge’s secure environment to the outdated IE background, where the layers of security defenses are almost gone.
Step 2: Exploiting the zero-day vulnerability in IE’s JavaScript kernel
As soon as the user activates the IE Mode, zero – day malicious code is activated, exploiting a vulnerability in the Chakra Engine, the old JavaScript processor of Internet Explorer.
The vulnerability allows hackers to remotely insert and execute malicious code, hijacking the browser.
Step 3: Escalate Privileges – Take over control of the system
After gaining permissions in the browser environment, the attacker deploys a second payload to escape Edge’s “sandbox” protection.
From this, they can:
- Install spyware or extortion code,
- Access system data,
- Switch to other machines on the same enterprise network,
- Stealing sensitive information.
The entire process is silent, without warning, making it difficult for users to recognize.
According to Microsoft, this group of attacks targets organizations still dependent on old technology such as:
- Internal enterprise applications using ActiveX,
- Camera management systems or old security equipment,
- Some administrative portals still require IE.
These are the most vulnerable, as they are forced to hold IE Mode to access the system, while Edge’s modern protection mechanism no longer works in this environment.
This attack was critically evaluated because:
- Exploiting unpatched zero – day in old environments,
- Enables the capture of computer control.
- Easily spread within corporate intranets,
- Could lead to data leaks or massive blackmail malicious code.
In other words, IE Mode is becoming a legal “backdoor” that hackers can exploit.
Shortly after the discovery of the campaign, Microsoft deployed emergency measures, including:
- IE Mode Restrictions,
- Remove keyboard shortcuts and context menus for fast mode switches,
- Maintaining IE Mode support is only for businesses with clear administration policies, avoiding individual users turning this mode on themselves.
To protect against this new form of attack, experts recommend:
- Do not access sites that require opening in IE Mode, unless it is a tightly controlled internal system.
- Disable IE Mode if not necessary.
- Update Microsoft Edge and Windows regularly to get the latest patches.
- Train staff to recognize warning and scam techniques related to “browser compatibility”.
- Gradually transition to a modern platform, rather than continuing to rely on older technologies such as ActiveX or Flash.
A feature created to support the work, if not properly managed, can become a gateway for hackers to enter the system. In the digital age, maintaining outdated technologies is like keeping a door open for the bad guys, it’s only a matter of time before they walk in.
