CVE-2024-38112

Windows MSHTML Spoofing via .url File Phishing (Void Banshee)

CVE-2024-38112 is a high-severity (CVSS 7.5) spoofing vulnerability in the Windows MSHTML Platform. Threat actors crafted malicious .url files that, when opened, invoke Internet Explorer's MSHTML engine via the mhtml: URI handler — even on systems where IE is disabled or removed. This allowed attackers to bypass modern browser security controls and render attacker-controlled HTML/JavaScript content, leading to code execution or credential phishing. The vulnerability was actively exploited by the APT group Void Banshee as a zero-day to deliver infostealer malware (Atlantida Stealer) targeting North American and European organisations. CISA added this to the KEV catalog with a remediation deadline of July 30, 2024.

Microsoft Sentinel / Defender

kusto

// CVE-2024-38112 — Windows MSHTML Spoofing via .url file / mhtml: handler
// Detect invocation of MSHTML/IE components from unexpected parent processes
// Key signals: mhtml: URI handler, iexplore.exe spawned from Explorer/Office, .url file executions
let MHTMLHandlerInvocation =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (FileName =~ "iexplore.exe" or ProcessCommandLine has "mhtml:")
    or (FileName =~ "mshtml.dll" and InitiatingProcessFileName !~ "iexplore.exe")
| where InitiatingProcessFileName in~ ("explorer.exe", "WINWORD.EXE", "EXCEL.EXE",
    "POWERPNT.EXE", "OUTLOOK.EXE", "mshta.exe", "wscript.exe", "cscript.exe")
| extend ThreatIndicator = "CVE-2024-38112-MSHTML-Handler";
let SuspiciousURLFileExecution =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where ProcessCommandLine has_any (".url", "mhtml:", "ieframe.dll", "url.dll,FileProtocolHandler")
| where InitiatingProcessFileName in~ ("explorer.exe", "rundll32.exe")
| extend ThreatIndicator = "CVE-2024-38112-URLFile-Execution";
MHTMLHandlerInvocation
| union SuspiciousURLFileExecution
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, ThreatIndicator
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents) Microsoft 365 Defender

Required Tables

DeviceProcessEvents

False Positives

Legitimate use of mhtml: links in enterprise applications built on MSHTML components
Old intranet applications requiring IE rendering mode (consider explicit allowlist of known URLs)
IT testing of legacy IE-dependent applications

Last updated: 2026-04-22 Research depth: standard

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Windows MSHTML Spoofing via .url File Phishing (Void Banshee)

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Initial Access

Popular Detections