Windows Under Siege: Three Zero-Days Silently Bypass Mark-of-the-Web Protections

Aegiron 10 mins0

Three Zero-Days Exploit “Mark-of-the-Web” Weakness in Windows and Office

February 2026 — Security researchers are warning that three actively exploited zero-day vulnerabilities patched this month are not isolated bugs, but part of a broader and more concerning pattern: attackers are deliberately targeting weaknesses in Windows’ “Mark-of-the-Web” (MoTW) protection mechanism to quietly bypass user safety warnings.

The vulnerabilities — CVE-2026-21510, CVE-2026-21513, and CVE-2026-21514 — were addressed by Microsoft in its February Patch Tuesday updates. All three are classified as security feature bypass flaws, and all three were reportedly under active exploitation before patches were released.

Security teams at CrowdStrike and Rapid7 say the trio reflects a tactical shift: instead of exploiting memory corruption bugs for immediate remote code execution, threat actors are focusing on stripping away Windows’ trust warnings — effectively disarming one of the operating system’s key last-line defenses against phishing.

What Is Mark-of-the-Web — and Why It Matters?

Mark-of-the-Web is a Windows feature that tags files downloaded from the internet with metadata identifying them as coming from an untrusted zone. When a user opens such a file — whether it’s a document, executable, or shortcut — Windows triggers warnings through SmartScreen or Protected View.

Those prompts are often the only barrier between a phishing email and full compromise.

The February zero-days undermine that barrier.

CVE-2026-21510 — Windows Shell MoTW Bypass

The first flaw affects the Windows Shell, the component responsible for file handling and desktop interaction.

Attackers can craft malicious shortcut files (.lnk) or related artifacts that trick Windows into treating the file as locally trusted — even when it originated from the internet. In practical terms, this means the familiar SmartScreen “Are you sure?” dialog may never appear.

How It’s Being Exploited

In observed attack chains:

  1. A victim receives a phishing email containing a malicious shortcut or archive.
  2. The user extracts or opens the file.
  3. Because the Mark-of-the-Web tag is effectively bypassed or misinterpreted, Windows does not trigger its usual warning.
  4. The shortcut launches a secondary payload — often a script, loader, or remote retrieval mechanism.

Researchers describe this as “MoTW laundering” — converting an untrusted file into one that appears trusted by the operating system.

While proof-of-concept (PoC) code has surfaced in research communities demonstrating how the bypass can be reproduced in lab environments, widespread public exploit kits have not dominated reporting. However, confirmed in-the-wild exploitation indicates real adversaries have operational capability.

CVE-2026-21513 — MSHTML Framework Security Feature Bypass

The second vulnerability targets the legacy MSHTML (Trident) engine, still embedded in parts of Windows and Office for compatibility purposes.

MSHTML has historically been a favored attack surface because it allows HTML rendering, script execution, and remote content loading within trusted processes.

This flaw enables attackers to bypass security zone enforcement when HTML content is invoked via certain vectors — including malicious shortcut files or crafted HTML documents.

Exploitation Pattern

Attackers are believed to:

  • Deliver a malicious HTML file or shortcut that invokes MSHTML.
  • Leverage the vulnerability so the file executes outside its intended “internet zone” restrictions.
  • Use that foothold to download or execute additional malware without triggering protective prompts.

Security analysts warn that this approach blends easily into normal user activity. Opening what appears to be a simple document can silently initiate outbound connections or script execution.

Because MSHTML remains present for backward compatibility, its continued exposure makes these types of bypasses particularly attractive to advanced threat actors.

CVE-2026-21514 — Microsoft Word OLE Protection Bypass

The third zero-day affects Microsoft Word’s handling of embedded OLE (Object Linking and Embedding) content.

OLE objects have long been used in malicious documents to execute embedded code or load external resources. Over the years, Microsoft added protections to prevent unsafe OLE execution — particularly for files tagged with Mark-of-the-Web.

CVE-2026-21514 allows attackers to circumvent those protections.

Attack Flow

  1. A phishing email delivers a crafted Word document.
  2. The user opens the document.
  3. The embedded OLE object executes without the expected security gating.
  4. A secondary payload is launched.

Microsoft clarified that the Preview Pane alone is not an attack vector — the file must be opened for exploitation to occur.

Researchers note that this bypass is especially dangerous because it removes friction from common phishing campaigns. Victims are no longer required to enable macros or bypass prominent security prompts; the malicious object may execute with minimal visible warning.

Why Threat Actors Favor These Bugs

Security feature bypasses do not always make headlines like remote code execution vulnerabilities. But practitioners argue they are often more valuable in real-world campaigns.

Advanced attackers typically:

  • Gain initial access via phishing.
  • Establish persistence.
  • Move laterally across the network.

MoTW bypasses streamline the initial access stage. If Windows or Office does not flag a file as risky, user hesitation drops dramatically.

Threat intelligence teams describe these vulnerabilities as “staple diet” techniques — reliable, repeatable methods used in combination with other tools rather than standalone exploits.

Detection and Defensive Considerations

Security teams are advised to:

  • Patch Windows and Office systems immediately.
  • Monitor for suspicious .lnk file creation or execution from Downloads and Temp directories.
  • Alert on Word spawning child processes such as PowerShell, cmd.exe, or rundll32.
  • Restrict or monitor use of mshta.exe and legacy scripting engines.
  • Enforce application control policies (WDAC/AppLocker) to prevent execution from user-writable paths.

Because these attacks rely on user interaction, awareness campaigns remain critical. Even with patches applied, social engineering remains the entry point.

A Broader Trend

The clustering of three MoTW-related bypasses in a single patch cycle highlights a deeper issue: attackers increasingly target trust boundaries rather than memory corruption flaws.

By eroding the mechanisms that inform users about risk, threat actors reduce the need for noisy exploit chains.

For defenders, the lesson is clear — patching is necessary but not sufficient. Visibility into process spawning behavior, file origin metadata, and abnormal parent-child process relationships is essential.

As organizations continue to harden against ransomware and advanced persistent threats, the battle is shifting from exploitation of code to exploitation of trust.

And in that arena, even a missing warning prompt can be enough.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.