Most days, I’m buried in threat reports, patch cycles, and SOC alerts. But today’s topic has been gnawing at me since late last year. It’s not a new breach or a clever phishing campaign. It’s something Microsoft calls a “feature,” but attackers have been abusing it like a zero-day. And the worst part? It’s been flying under the radar since 2017.

Let’s rewind.

In September 2024, Trend Micro’s Zero-Day Initiative uncovered a malicious shortcut file exploit that’s being actively used by 11 known Advanced Persistent Threat (APT) groups. We’re talking major players from North Korea, Russia, Iran, and China. This isn't theoretical. These are live, targeted attacks—and the sectors being hit hardest include law firms, universities, nonprofits, and manufacturers. The very organizations with sensitive data and limited IT resources.

Here's how it works: a .lnk file—something as mundane as “Invoice.lnk” or “ClientData.lnk”—shows up in an email. It looks harmless. You click it. Behind the scenes, the file executes malware disguised in a hidden “Target” field padded with whitespace. The real payload, like Cobalt Strike or ransomware, launches silently. Microsoft has known about this technique but won’t patch it, claiming it’s "working as intended." That’s their official position, which means no CVE, no fix, and no warnings to users.

This isn't just theory. I watched this play out with a client in late 2024. They received what looked like a shortcut to a contract template. One click later, their network was compromised. The shortcut looked blank—but blank is not safe. It’s a red flag.

Three Takeaways & Next Steps:

1. Inspect Every Shortcut
Right-click any LNK file you receive. If the Target field looks empty or suspicious, do not click. Assume it’s malicious until proven otherwise.

2. Train Your Team
Schedule a 30-minute training. Show staff real examples of malicious shortcut files. Human error is the weak link—education closes the gap.

3. Filter the Inbox
Set up email rules to block or quarantine .lnk attachments. Most businesses never need to send these by email anyway. Removing the temptation could prevent a breach.

Conclusion:
This isn’t just another cyber scare. It’s a real, proven tactic that’s been exploited for over eight years while Microsoft looks the other way. And it’s working—especially against businesses that can’t afford a $4.5 million breach.

If you’re in legal, education, nonprofit, or manufacturing, this threat is tailored to you. But knowledge is power. Knowing the risk, training your team, and setting up basic filters can give you the upper hand.

We can’t rely on Microsoft to fix this. But we can outsmart it.