WebDAV

Winsage
June 13, 2026
Following the June 2026 update, custom folder icons and localized folder names in Windows are no longer displaying as they typically would due to intentional modifications related to security updates, specifically KB5094126 for Windows 11 versions 24H2 and 25H2. This update tightens the handling of the desktop.ini file, which is used for folder customization. Although access to the actual files remains unchanged, affected folders may revert to default icons or display original directory names instead of customized labels. Microsoft has identified certain sources as untrusted, including files downloaded from the internet and specific remote sources, which affects how desktop.ini files are processed. Users are encouraged to verify file origins, and administrators should ensure that internal sources are classified as trusted to avoid disruptions in folder presentation. The update also includes other security fixes and enhancements.
Winsage
June 12, 2026
Windows 11 users have reported that their custom folder icons have reverted to default settings due to new security protocols from Microsoft. If a desktop.ini file, which defines folder icons, is detected as coming from an untrusted source, Windows will automatically revert to the standard icon without notification. Microsoft has confirmed that 'untrusted' icons will no longer display, and identifies scenarios that classify a source as untrusted, including files downloaded from the internet with a Mark-of-the-Web (MOTW), files copied from certain remote locations, and files on unrecognized network paths. To restore customizations, users can add the source to their Trusted Sites list, enable the "Allow the use of remote paths in file shortcut icons" policy, or remove the Mark-of-the-Web tag from affected files.
Winsage
March 1, 2026
Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.
Search