Microsoft has revised how Internet Explorer (IE) Mode is invoked in Edge following a wave of attacks observed in August 2025. According to the Microsoft Browser Vulnerability Research team, threat actors abused the legacy compatibility pathway, pairing basic social engineering with a zero‑day in the Chakra JavaScript engine to gain unauthorized access to user devices.
How attackers abused IE Mode to bypass modern browser defenses
The intrusion flow was straightforward. Victims were lured to seemingly legitimate websites where a pop‑up urged them to reload the page in IE Mode. Once the session switched into IE Mode, adversaries deployed a Chakra exploit to achieve remote code execution (RCE) within the browser context. By pivoting into this legacy engine, attackers sidestepped several isolation and sandboxing guarantees typically provided by the Chromium-based Edge runtime.
Privilege escalation and breakout from the browser
Post‑exploitation, a second exploit enabled privilege escalation beyond the browser process, granting full control of the endpoint. This foothold facilitated malware deployment, lateral movement across networks, and data theft. The core weakness was not a flaw in modern Edge per se, but the security regression introduced by legacy compatibility, where IE-era components (Trident/Chakra) enforce weaker protections.
Why IE Mode increases enterprise attack surface
IE Mode remains essential for organizations reliant on legacy web applications and intranet sites. However, it expands the attack surface because some modern mitigations—such as robust sandboxing, site isolation, and stricter JIT hardening—apply differently or less effectively in compatibility contexts. Microsoft retired Internet Explorer 11 for most scenarios in 2022, but preserved IE Mode in Edge to support critical legacy workflows; that same bridge can be abused when users are tricked into entering it.
What Microsoft changed in Edge
In response, Microsoft removed the IE Mode launch button from the toolbar, context menu, and the main Edge menu. IE Mode still exists, but users must now explicitly enable it in settings and bind it to specific, approved sites via an enterprise‑managed allowlist (the Enterprise Mode Site List). These changes reduce opportunistic switching and ensure compatibility is invoked only for vetted resources.
Security–compatibility balance
By narrowing entry points, Microsoft forces a more deliberate decision before loading legacy engines. The added steps to register a site effectively raise the bar for adversaries; a single misleading click can no longer flip users into a high‑risk compatibility context. This approach aligns with least‑privilege design: grant legacy execution only where strictly necessary and only for designated domains.
Operational impact and guidance for security teams
Enterprises depending on IE Mode should revisit their governance model. Centrally manage the site list, restrict access to approved users, and monitor changes. Align browser updates with OS patching to capture fixes for compatibility components. While Microsoft has not disclosed exploit specifics or the threat actor, defense‑in‑depth remains the universal control: harden endpoints, constrain legacy pathways, and validate web content provenance.
Recommended controls to reduce risk
Use IE Mode only for mission‑critical legacy resources and maintain a centralized Enterprise Mode Site List. Review it regularly and remove stale entries. Enforce Microsoft Defender SmartScreen and Network Protection to block known malicious hosts and filter phishing lures. Ensure rapid updates for Edge, Windows, and IE Mode components; subscribe to Microsoft Browser VR advisories. Apply isolation where feasible (for example, separate Edge profiles for admin workflows or Windows Defender Application Guard for untrusted sites) and deploy EDR/anti‑malware with behavioral detections. Limit script execution in high‑risk zones and disable ad‑hoc requests to “reload in IE Mode” outside the approved workflow.
Reworking IE Mode is a pragmatic step that hardens Edge without breaking critical legacy scenarios. Long‑term resilience, however, depends on reducing dependence on obsolete technologies. Organizations should plan a phased retirement of IE‑era components, modernize legacy apps, and keep compatibility tightly scoped and centrally governed. Treat any prompt to switch into IE Mode as a potential trap, verify through IT support, and keep the enterprise site list as the single source of truth.
