Yet another LNK flaw allows for target spoofing, yet executes any DLL, including remote via WebDAV. Even worse, unless you installed the Feb 2026 updates, MotW will be ignored.

Next to updating, your best defence is to look for RunDLL32 + Shell32 + Control_RunDLL executions with non-standard targets. After all, most users click accept on those MotW prompts.

See how this works on https://github.com/wietze/lnk-it-up