Cybercriminals are increasingly exploiting a legacy feature within Windows File Explorer, specifically targeting the Web-based Distributed Authoring and Versioning (WebDAV) protocol to distribute malware. This tactic allows them to bypass traditional web browser security measures and endpoint detection controls, presenting a significant challenge for organizations aiming to protect their networks.
According to a recent threat report by Kahng An from the Cofense Intelligence Team, attackers are using WebDAV to deceive victims into executing malicious payloads. Despite Microsoft officially deprecating native WebDAV support in Windows File Explorer as of November 2023, the functionality remains active on many systems, providing a convenient loophole for malicious actors.
The WebDAV Loophole
WebDAV, an older HTTP-based network protocol, was originally designed for remote file management. Attackers are taking advantage of this legacy support by sending malicious links that compel File Explorer to connect directly to remote WebDAV servers. This connection circumvents web browsers entirely, meaning victims do not receive the usual security warnings or download prompts associated with browser-based interactions.
The remote server is presented as a local folder, creating an illusion of safety for downloaded files. Although Windows does provide a default pop-up warning when executing files over a remote network, users who frequently interact with legitimate enterprise file shares may overlook these alerts.
Attackers employ three primary methods to deliver their exploits, often utilizing the DavWWWRoot keyword to target the root directory of a remote server:
- Direct Linking: Threat actors utilize the
file://URI scheme to open remote folders directly within the system’s file browser. - URL Shortcut Files (.url): These files leverage Windows UNC paths (e.g.,
exampledomain[.]com@SSLDavWWWRoot) to access remote servers invisibly over HTTP or HTTPS. - LNK Shortcut Files (.lnk): These shortcuts often contain hidden commands that invoke Command Prompt or PowerShell to silently download and execute malicious scripts hosted remotely.
A notable technical quirk enhances the effectiveness of this tactic: when a user opens a local directory containing a malicious .url file with a UNC path, Windows automatically triggers a DNS lookup. This action sends a TCP SYN packet to the attacker’s infrastructure, indicating that the payload is active, even if the user has not clicked the file.
Malware Payloads and Targeting
Since the volume of these campaigns surged in late 2024, the primary objective has been to deploy Remote Access Trojans (RATs) for unauthorized system control. Cofense reports that 87% of Active Threat Reports (ATRs) associated with this tactic involve multiple RATs, prominently featuring XWorm RAT, Async RAT, and DcRAT.
These campaigns predominantly target corporate networks in Europe, with approximately 50% of phishing emails written in German, often masquerading as finance or invoice documents, while 30% are in English. To obscure their infrastructure, threat actors create short-lived WebDAV servers using free Cloudflare Tunnel demo accounts hosted on trycloudflare[.]com. This method routes malicious traffic through legitimate Cloudflare infrastructure, complicating detection efforts for security teams before the attackers take the temporary servers offline.
Indicators of Compromise
The following table outlines known malicious Cloudflare Tunnel domains associated with these campaigns:
| Cloudflare Tunnel Domain | Associated ATR |
|---|---|
| tiny-fixtures-glossary-advantage[.]trycloudflare[.]com | 374884 |
| nasdaq-aged-sf-cheers[.]trycloudflare[.]com | 377161 |
| lose-croatia-acdbentity-lt[.]trycloudflare[.]com | 377161 |
| discounted-pressed-lc-vcr[.]trycloudflare[.]com | 376309 |
| skills-statute-alberta-demand[.]trycloudflare[.]com | 376309 |
| whats-menu-familiar-zshops[.]trycloudflare[.]com | 386717 |
| publicity-jenny-paintball-gilbert[.]trycloudflare[.]com | 386717 |
Security analysts are urged to monitor for unusual network activity originating from Windows Explorer and to educate users on verifying the address bar in File Explorer for unfamiliar IP addresses. This evolving tactic underscores a broader risk, as similar abuses could potentially extend to other enterprise protocols such as FTP and SMB.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
