The warning your careful users count on, that quietly never fired

We tell users to watch for the warning. If you download something sketchy and Windows throws up a SmartScreen prompt saying this file came from the internet and might be dangerous, that’s the moment a careful person stops. The whole user-awareness model leans on that prompt appearing. CVE-2024-21412 is a bug whose entire purpose is to make sure it doesn’t.

It’s a security-feature bypass (CWE-693), CVSS 8.1, in how Windows handles internet shortcut files. Trend Micro’s Zero Day Initiative discovered it being exploited as a zero-day by the APT group Water Hydra (also called DarkCasino) against financial traders. The trick: a .url internet shortcut that points to another .url shortcut. That nesting was enough to make SmartScreen fail to apply Mark-of-the-Web, the tag Windows attaches to files from untrusted sources to trigger the warning. A file disguised as a JPEG, a double-click, no prompt, and the host is compromised. Microsoft patched it on February 13, 2024, and CISA added it to the Known Exploited Vulnerabilities catalog the same day with a March 5 deadline and the ransomware flag.

Why a “feature bypass” is worse than it sounds

Most vulnerabilities are about an attacker doing something they shouldn’t be able to do. A security-feature bypass is subtler and, in some ways, nastier: it’s about a defense not doing something it should. Nothing visibly breaks. The user isn’t tricked into ignoring a warning; the warning never shows up. The protection layer is silently absent at the one moment it was supposed to matter.

That’s corrosive to the awareness training every organization runs, because that training is implicitly a deal with the user: be cautious, heed the prompts, and you’ll be okay. CVE-2024-21412 breaks the deal. The user who does everything right, hesitates, watches for the SmartScreen warning, sees none, and proceeds, gets compromised anyway. You can’t train your way around a warning that doesn’t fire. The user did their part; the control didn’t.

It’s a treadmill, not a one-off

Here’s the part that should set your expectations. CVE-2024-21412 is itself a bypass of an earlier SmartScreen fix, CVE-2023-36025, which Microsoft had patched only months before. Water Hydra looked at the fix, found a way around it, and kept going. And this isn’t an isolated pair; SmartScreen and Mark-of-the-Web bypasses have been a recurring genre, patched and re-bypassed in a steady cycle, because the feature is a high-value target. Anything that stands between a phishing payload and execution will be attacked relentlessly, and a warning prompt is a softer target than a memory-safety boundary.

The conclusion to draw isn’t that SmartScreen is worthless. It catches a real volume of low-effort attacks and it’s worth having on. The conclusion is that it’s a speed bump, not a wall, and a defense built on the assumption that users will reliably get a warning is built on something attackers defeat on a schedule. Plan for the prompt to be absent.

What to do

• Patch the February 2024 cumulative update. It closes this specific bypass across Windows 10, 11, and Server 2019/2022. Given it was an exploited zero-day and a bypass of a prior fix, treat it as a priority, not a routine rollup.
• Don’t rely on SmartScreen as a primary control. Keep it enabled, but layer underneath it. The defenses that don’t depend on a user heeding a prompt are the ones that hold when the prompt fails.
• Neutralize the delivery vehicle. This attack rides .url internet shortcut files, often disguised as documents or images and delivered by phishing. Block or quarantine .url (and .lnk) files at the email gateway and on download, since they have almost no legitimate reason to arrive as attachments. Configure file-type handling so a shortcut masquerading as a JPEG can’t execute on a double-click.
• Lean on attack-surface-reduction and execution controls. Application control (WDAC or AppLocker), ASR rules that block executable content launched from shortcuts and Office, and EDR behavioral detection all catch the post-click execution regardless of whether SmartScreen warned. These are the layers that work when the warning doesn’t.
• Reframe the user message. “Watch for the warning” is incomplete advice. Pair it with “don’t open unexpected files even if nothing warns you,” because the absence of a prompt is not a safety signal.

The reframe is about where you put your trust. A security warning is a control that depends on two things working: the software correctly detecting the risk, and the user correctly responding to it. CVE-2024-21412 breaks the first half, silently, and there’s a long history of bugs that do the same. So treat the SmartScreen prompt as a helpful bonus, not a load-bearing defense, and make sure the controls that don’t ask the user anything are the ones holding up the structure. We flag these security-feature-bypass entries specifically, because they’re the bugs that make your defenses fail quietly, which is the most dangerous way for a defense to fail.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2024-21412 — 2024-02-13
• Microsoft MSRC: CVE-2024-21412 — 2024-02-13
• Trend Micro: Water Hydra targets traders with SmartScreen zero-day (CVE-2024-21412) — 2024-02
• Trend Micro: DarkGate operators exploit Windows SmartScreen bypass — 2024-03
• Cyble: Rising exploitation of Microsoft SmartScreen CVE-2024-21412 — 2024