Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving “credible reports” in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users’ devices.
“Threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer’s JavaScript engine (Chakra) to gain access to victim devices,” the Microsoft Browser Vulnerability Research team said in a report published last week.
In the attack chain documented by the Windows maker, the threat actors have been found to trick unsuspecting users into visiting an seemingly legitimate website and then employ a flyout on the page to instruct them into reloading the page in IE mode.
Once the page is reloaded, the attackers are said to have weaponized an unspecified exploit in the Chakra engine to obtain remote code execution. The infection sequence culminates with the adversary using a second exploit to elevate their privileges out of the browser in order to seize complete control of the victim’s device.
The activity is concerning, not least because it subverts modern defenses baked into Chromium and Microsoft Edge by launching it in a less secure state using Internet Explorer, effectively allowing the threat actors to break out of the confines of the browser and perform various post-exploitation steps, including malware deployment, lateral movement, and data exfiltration.
Microsoft did not disclose any details regarding the nature of the vulnerabilities, the identity of the threat actor behind the attacks, and the scale of the efforts.
However, in response to evidence of active exploitation and the security risk posed by the feature, the company said it has taken steps to remove the dedicated toolbar button, context menu, and the hamburger menu items.
Users who wish to enable IE mode will now have to explicitly enable it on a case-by-case basis via Edge browser settings –
- Navigate to Settings > Default Browser
- Locate the option labeled Allow sites to be reloaded in Internet Explorer mode and set it to Allow
- After enabling this setting, add the specific site(s) requiring IE compatibility to the Internet Explorer mode pages list
- Reload the site
The Windows maker noted that these restrictions to launching IE mode are necessary to balance security and the need for legacy support.
“This approach ensures that the decision to load web content using legacy technology is significantly more intentional,” Microsoft said. “The additional steps required to add a site to a site list are a significant barrier for even the most determined attackers to overcome.”
