CrowdStrike Details ClickOnce Abuse for Malware Deployment and Mark-of-the-Web Bypass
CrowdStrike researchers have documented how threat actors abuse Microsoft's ClickOnce deployment technology to bypass Mark-of-the-Web protections and deliver malware with minimal user interaction.
CrowdStrike has published the first part of a two-part series detailing how threat actors are abusing Microsoft's ClickOnce application deployment technology to gain initial access to systems. The research, presented at REcon 2026, reveals that attackers can bypass Mark-of-the-Web (MotW) protections by deploying malicious .appref-ms files, enabling code execution without triggering typical security warnings. This technique poses a significant risk for phishing campaigns and initial compromise, as it leverages a legitimate Windows feature to evade detection.
ClickOnce is a deployment technology that allows developers to package and distribute applications that users can run, install, and automatically update with minimal interaction and without requiring administrative privileges. While this simplifies software deployment for legitimate developers, it also provides threat actors with an easy way to spread malware. The technology's user-friendly deployment process is a double-edged sword, as it can be weaponized to deliver malicious payloads with a single click.
The first part of the series examines how ClickOnce works under the hood, from the publication of the app to its installation on the user endpoint. The researchers explain the publishing process in Visual Studio, where developers can configure deployment parameters such as installation medium, update location, and offline availability. The output includes key files like the .application deployment manifest, an XML-based file that holds information about the application, publisher, and signature.
One of the critical security implications is the ability to bypass Mark-of-the-Web protections. MotW is a security feature that marks files downloaded from the internet, triggering additional security checks when they are opened. However, ClickOnce deployment files can be crafted to avoid this marking, allowing attackers to execute code without the usual warnings. This makes ClickOnce an attractive vector for phishing campaigns, where users are tricked into clicking a link that downloads and runs a malicious application.
The second part of the series, to be published later, will focus on how threat actors can take advantage of ClickOnce apps. It will summarize known weaponization methods, disclose a previously unknown abuse uncovered by the research, discuss detection strategies, and demonstrate how the CrowdStrike Falcon platform provides protection against these attacks in real-world environments. The researchers will also present their findings at REcon 2026 in Montreal on June 19.
This research highlights the ongoing cat-and-mouse game between attackers and defenders, where legitimate technologies are repurposed for malicious ends. As Microsoft continues to develop user-friendly deployment solutions, security researchers must remain vigilant in identifying and mitigating potential abuse vectors. The ClickOnce abuse technique underscores the importance of user education and robust endpoint protection to defend against sophisticated phishing campaigns that exploit trusted Windows features.
In Part 2 of their blog series, CrowdStrike expands on the ClickOnce abuse technique by detailing how threat actors weaponize the built-in updating mechanism of ClickOnce applications to push malicious updates through compromised deployment servers, transforming benign apps into persistent malware without user reauthorization. The post also reveals a new abuse vector where .appref-ms files placed in the Startup folder or triggered via scheduled tasks provide stealthy persistence, with the payload executed by legitimate Windows processes like rundll32.exe and dfsvc.exe. CrowdStrike provides specific detection guidance and mitigation steps to help security teams identify and block this attack chain.