Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because the attack requires no administrative privileges, exploits a trusted and widely-enabled Windows deployment framework, and leaves artifacts that evade standard mail gateways and endpoint controls that do not inspect .application/.appref-ms file types — lowering the bar for successful delivery across a broad endpoint fleet. Impact is high because a successful compromise yields a persistent, self-updating foothold that survives standard re-imaging if the ClickOnce directory is not explicitly wiped, enabling prolonged dwell time, lateral movement opportunity, and data exfiltration before detection.
Treatment rationale: The attack surface is definable and technically reducible — restricting or disabling ClickOnce deployment zones, enforcing file-type blocking on .application and .appref-ms at perimeter and endpoint layers, and adding behavioral detection for dfsvc.exe/rundll32.exe spawning unexpected child processes directly reduces exposure without eliminating a business-critical capability for most organizations.
Third-Party / Supply-Chain Risk
Organizations that permit employees to install ClickOnce applications from external vendor or SaaS provider URLs are exposed to supply-chain weaponization: a compromised or spoofed vendor deployment endpoint can deliver a malicious .application manifest through a trusted delivery channel, bypassing both sender-reputation controls and code-signing validation if the attacker obtains or mimics a valid certificate. NIST SP 800-161 framing: third-party software deployment channels become an untrusted ingress path whose integrity the acquiring organization cannot directly control.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per incident, reflecting detection-and-containment costs on a large endpoint fleet, forensic scoping of dwell period, potential data-exposure notification, and productivity loss from re-imaging and recovery operations
Frequency: Illustrative 1–2 incidents per 3-year horizon for an organization with a large Windows endpoint fleet and no current .application/.appref-ms file-type controls in place, given active attacker interest in living-off-the-land deployment techniques
Annualized: Illustrative ALE: approximately $170K–$3.3M annualized, derived from mid-range loss magnitude ($2.75M) × illustrative frequency (0.4–0.6 events/year)
Basis: Loss magnitude driven by: (1) incident-response and forensic cost scaling with fleet size and dwell time enabled by the auto-update persistence mechanism; (2) potential notification costs if exfiltrated data includes PII or regulated data; (3) re-imaging scope elevated by ClickOnce directory persistence surviving standard wipe cycles. Frequency driven by: low detection friction for the attacker, broad exposure across any Windows org permitting ClickOnce, and growing attacker interest in trusted-process abuse as EDR coverage increases. No third-party actuarial or benchmark figures are used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed compromise with data access may invoke state and federal breach-notification obligations — verify with counsel.
• Persistent, undetected attacker dwell enabled by control gaps may affect cyber-insurance coverage eligibility or claims outcome under 'reasonable security controls' policy language — verify with broker.
• If ClickOnce-delivered malware affects systems processing cardholder data or PHI, PCI-DSS and HIPAA incident-response and notification requirements may be triggered — verify with counsel.
