What just happened? Microsoft has overhauled the Internet Explorer mode in its Edge browser following reports that attackers were exploiting the feature to compromise Windows devices. The company confirmed that the change was prompted by "credible reports" in August, indicating that threat actors were using IE mode's backward compatibility components to bypass security protections.
In a technical report from Microsoft's Browser Vulnerability Research team, investigators said malicious actors had combined basic social engineering tactics with zero-day flaws in Internet Explorer's legacy JavaScript engine, known as Chakra. The attackers used these unpatched vulnerabilities to gain remote access to targeted machines, often by disguising malicious pages as legitimate websites.
According to Microsoft's findings, attackers tricked users into visiting sites that appeared trustworthy. Victims then saw an on-screen prompt designed as a flyout – a small floating user interface element – that instructed them to reload the page in IE mode. Once reloaded, the browser session ran in a less secure environment that retained compatibility with older web technologies, allowing attackers to exploit the Chakra engine to execute arbitrary code.
The compromise did not end within the browser. Microsoft reported that hackers leveraged a second exploit to elevate privileges beyond Edge, giving them total control of the affected device. The intruders could conduct a range of follow-up operations, including deploying malware, moving laterally within a network, or exfiltrating sensitive data.
Security experts consider the incident significant because it undermines the protective design of modern Chromium-based browsers. By forcing sessions into IE mode, attackers bypassed several layers of sandboxing and other built-in safeguards that routinely limit access to the operating system.
Microsoft did not identify the threat actors involved or reveal the scope of the campaign, but said it had verified active exploitation in the wild. In response, the company removed multiple features that had previously made it easy to enter IE mode. The dedicated toolbar button, right-click context option, and hamburger menu item have all been taken out of Edge to prevent accidental or manipulated use of the older browsing framework.
Users who still depend on IE mode for legacy websites will now have to enable it manually through Edge's settings. First, navigate to Settings > Default Browser and switch the "Allow sites to be reloaded in Internet Explorer mode" option to "Allow." Then add each approved website to a compatibility list before manually reloading the page.
Microsoft designed the change to reinforce user awareness and reduce exposure to risks associated with obsolete code paths. The company explained that requiring users to enable IE mode explicitly for specific pages introduces friction that makes exploitation far more difficult.
"This approach ensures that the decision to load web content using legacy technology is significantly more intentional," Microsoft wrote. "The additional steps required to add a site to a site list are a significant barrier for even the most determined attackers."
Microsoft blocks one-click IE Mode launch in Edge after browser exploits emerge
