Two intelligence items this week document active and emerging abuse of Microsoft’s ClickOnce deployment framework (.appref-ms, .application files, dfsvc.exe) as an initial access and persistence mechanism that bypasses privilege-based endpoint defenses without requiring administrator rights. No CVE or vendor patch exists — this is technique abuse of legitimate built-in Windows functionality. Organizations with unmonitored ClickOnce execution and no AppLocker or WDAC coverage for .appref-ms files carry material undetected persistence risk.