Detect Windows MSHTML Spoofing via .url File Phishing (Void Banshee) in Microsoft Sentinel
CVE-2024-38112 is a high-severity (CVSS 7.5) spoofing vulnerability in the Windows MSHTML Platform. Threat actors crafted malicious .url files that, when opened, invoke Internet Explorer's MSHTML engine via the mhtml: URI handler — even on systems where IE is disabled or removed. This allowed attackers to bypass modern browser security controls and render attacker-controlled HTML/JavaScript content, leading to code execution or credential phishing. The vulnerability was actively exploited by the APT group Void Banshee as a zero-day to deliver infostealer malware (Atlantida Stealer) targeting North American and European organisations. CISA added this to the KEV catalog with a remediation deadline of July 30, 2024.
MITRE ATT&CK
- Tactic
- Initial Access Execution
KQL Detection Query
// CVE-2024-38112 — Windows MSHTML Spoofing via .url file / mhtml: handler
// Detect invocation of MSHTML/IE components from unexpected parent processes
// Key signals: mhtml: URI handler, iexplore.exe spawned from Explorer/Office, .url file executions
let MHTMLHandlerInvocation =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (FileName =~ "iexplore.exe" or ProcessCommandLine has "mhtml:")
or (FileName =~ "mshtml.dll" and InitiatingProcessFileName !~ "iexplore.exe")
| where InitiatingProcessFileName in~ ("explorer.exe", "WINWORD.EXE", "EXCEL.EXE",
"POWERPNT.EXE", "OUTLOOK.EXE", "mshta.exe", "wscript.exe", "cscript.exe")
| extend ThreatIndicator = "CVE-2024-38112-MSHTML-Handler";
let SuspiciousURLFileExecution =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where ProcessCommandLine has_any (".url", "mhtml:", "ieframe.dll", "url.dll,FileProtocolHandler")
| where InitiatingProcessFileName in~ ("explorer.exe", "rundll32.exe")
| extend ThreatIndicator = "CVE-2024-38112-URLFile-Execution";
MHTMLHandlerInvocation
| union SuspiciousURLFileExecution
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, ThreatIndicator
| sort by TimeGenerated descDetects CVE-2024-38112 exploitation patterns: invocation of the mhtml: URI handler or iexplore.exe spawned by Office applications or Explorer (indicating a .url file click). Also catches rundll32.exe executing URL handlers which is the mechanism used by Windows to process .url shortcut files that trigger MSHTML rendering.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of mhtml: links in enterprise applications built on MSHTML components
- Old intranet applications requiring IE rendering mode (consider explicit allowlist of known URLs)
- IT testing of legacy IE-dependent applications
Other platforms for CVE-2024-38112
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Invoke mhtml: URI handler via .url shortcut file
Expected signal: Sysmon Event ID 1 — iexplore.exe spawned by explorer.exe with mhtml: URI in command line.
References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2024-38112
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112
- https://www.trendmicro.com/en_us/research/24/g/void-banshee-targets-technologies-internet-explorer-disable.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://attack.mitre.org/techniques/T1566/001/
Unlock Pro Content
Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.