Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because ClickOnce weaponization requires no administrative privileges, exploits by-design Windows/.NET behavior available in every standard enterprise environment, and delivery is achievable through a single phishing link or email attachment — a consistently high-volume threat vector in corporate environments; exploitation status is unconfirmed at scale but the technique is fully documented and accessible. Impact is high because the malware persists and self-updates within user-writable AppData, surviving common remediation actions such as password resets, enabling durable post-compromise access that can support credential theft, lateral movement, or ransomware staging before detection.
Treatment rationale: The attack surface is broad (every ClickOnce-enabled Windows workstation), the technique bypasses standard privilege-based controls, and the persistence mechanism undermines conventional incident response — active control improvements (detection tuning, AppData monitoring, deployment policy hardening) are required to reduce both likelihood and residual impact to an acceptable level.
Third-Party / Supply-Chain Risk
Organizations using third-party SaaS or LOB vendors that deliver applications via ClickOnce manifests inherit the same attack surface through those distribution channels; a compromised or spoofed vendor update URL could serve as a trusted delivery vector. Managed service providers operating shared Windows environments are also an exposure point if ClickOnce policy is not uniformly enforced across tenants — per NIST SP 800-161 supply chain risk principles, vendor delivery mechanisms should be treated as an attack surface requiring vetting.
Loss Exposure (illustrative)
Magnitude: moderate-to-high — illustrative $250K–$2M per incident, scaling with dwell time and whether persistence enables ransomware or large-scale data exfiltration
Frequency: Illustrative 1–3 successful compromise events per year for a mid-to-large enterprise with broad ClickOnce exposure and standard email-borne phishing volumes, absent specific mitigating controls
Annualized: Illustrative ALE $250K–$6M annually, representing low-frequency high-impact scenarios (ransomware staging or regulatory breach) weighted against higher-frequency lower-impact endpoint containment events
Basis: Magnitude derived from: incident response and forensic cost of re-imaging affected endpoints and validating AppData directories organization-wide; elevated cost driver is persistence survival through standard remediation, which extends dwell time and IR scope; upper range reflects scenarios where ClickOnce-delivered second-stage tooling enables lateral movement, data exfiltration, or ransomware deployment with associated downtime, regulatory exposure, and reputational cost. Frequency derived from: phishing delivery volume in enterprise environments combined with the low-friction exploitation path (no privilege required, no UAC bypass needed), offset by assumed baseline email gateway and endpoint detection controls. No external report figures were used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Confirmed compromise of endpoints via this technique resulting in exfiltration of personal or regulated data may invoke breach-notification obligations under applicable state or federal law — verify with counsel.
• Durable post-compromise persistence that enables ransomware staging or data exfiltration could trigger cyber-insurance incident-reporting notice requirements — verify with broker.
• If ClickOnce-delivered malware propagates across a shared or managed environment, contractual service-level or data-protection obligations with downstream customers may be implicated — verify with counsel.
