A browser extension is being used as a ransomware delivery mechanism — and it can punch through the sandbox Microsoft's Edge is supposed to enforce.
Security firm Zscaler discovered a campaign it's calling "Edgecution" in which attackers impersonate IT support over Microsoft Teams, steering victims to a fake "Outlook Updates Management Console" site. Users who follow the instructions download a ZIP archive that creates a scheduled task, launching Edge in headless mode and silently installing an extension named "Edge Monitoring Agent." The ZIP also bundles a Python runtime, which establishes a Native Messaging manifest — a browser mechanism for communicating with local processes — giving the backdoor a path out of the sandbox and onto the host system. From there it can run shell commands, execute PowerShell and arbitrary Python, write files, and harvest system data.
The sandbox escape technique is the part worth watching. Browser extensions are supposed to be confined; using Native Messaging as a bridge to a locally installed Python runtime is a creative way around that constraint, and it's the kind of method that slips past endpoint detection tools looking for more obvious malware signatures. Zscaler believes the group behind this is an Initial Access Broker linked to a ransomware operation called Payout Kings — meaning the goal is selling that foothold to whoever pays.
This is the IAB model running at higher sophistication than usual: rather than brute-force credential stuffing or exploiting an unpatched CVE, the chain here runs through social engineering, a fake update workflow, and a browser-native evasion technique that most defenders aren't watching closely enough.