Microsoft faces two distinct threat vectors this week. ClickOnce, a built-in .NET application deployment technology, is being actively weaponized to deliver malware and establish persistence without requiring administrative privileges, exploiting trusted Windows processes (dfsvc.exe, rundll32.exe) to evade signature-based controls. Separately, Windows Script Host (WScript.exe) is the delivery mechanism for the WhatsApp VBScript campaign installing ManageEngine RMM as a backdoor. Both attack chains exploit legitimate, signed Microsoft components, invalidating privilege-separation and signature-based defenses that most Windows security architectures rely on.