Block MSHTA.exe in Windows: A Simple Hardening Win Most Businesses Miss

Garry BloomGarry Bloom · Founder & Senior IT Manager
22 January 2026
5 min read
ITSupportPerth
CyberSecurity
Microsoft365
Intune
ManagedIT

If you’re relying on antivirus and a firewall alone, there’s a good chance you’re leaving a door open that attackers use every day.

One of the most common “quiet” tools abused in Windows environments is MSHTA.exe—a legitimate Windows component that can be turned into a malware launcher with minimal effort. We see this pattern regularly when cleaning up suspicious activity in Microsoft 365 and endpoint environments.

This is one of those changes that feels small… until it prevents a very expensive incident.


What is MSHTA.exe (and why does it exist)?

MSHTA.exe is a built-in Windows binary used to run Microsoft HTML Applications (HTA files). HTAs are like webpages packaged as executable applications, and they can run scripts (often JavaScript or VBScript) with the user’s permissions.

That sounds old-school because it is. In most modern business environments—especially those standardised on Microsoft 365, modern browsers, and SaaS apps—HTAs are rarely required.


Why attackers love MSHTA.exe (the real risk)

MSHTA is popular with threat actors because it’s a “living-off-the-land” binary—meaning it’s already on the machine, signed by Microsoft, and doesn’t look suspicious at first glance.

Attackers use it to:

  • Launch malicious scripts without dropping an obvious “malware.exe”

  • Execute code pulled from the internet (or from an email attachment) in seconds

  • Blend in with normal Windows activity, reducing the chance of quick detection

In practical terms, it’s often used as a stepping stone to run PowerShell payloads, credential theft tooling, or ransomware staging activity.

What most businesses don’t realise is that “legitimate Windows processes” can be just as dangerous as unknown executables when attackers know how to abuse them.


Do you actually need HTA in your business?

For most organizations (especially 55–100 staff), the answer is “no”.

You might need to keep MSHTA enabled if you have:

  • Legacy line-of-business apps that explicitly rely on HTA

  • Older internal tools or scripts built years ago (common in manufacturing, logistics, and some finance workflows)

If you’re not sure, that’s a sign to test and validate rather than leaving it open by default.


The recommended defence: block MSHTA.exe

A strong security posture isn’t just adding more security tools—it’s removing the tools attackers use against you.

Blocking MSHTA is a classic “hardening” move that reduces your attack surface with minimal user impact.

Common ways to block it:

  • AppLocker rules (allow-listing approach, best for managed environments)

  • Software Restriction Policies (SRP) (older but still used in some domains)

  • Microsoft Defender Attack Surface Reduction (ASR) rules (ideal in Microsoft 365 + Defender setups)

The “right” method depends on whether you manage devices with Intune, Group Policy, or a mix.


Don’t just block it—monitor for it

Even if you block MSHTA, you also want visibility. Monitoring helps you answer:

  • Did someone try to run it?

  • Which user/device triggered it?

  • Was it part of a broader attack chain?

In a well-managed environment, MSHTA executions should be rare. If you suddenly see it firing on endpoints, treat that as a yellow (or red) flag—especially if it’s being launched from user profile paths, temp folders, or via suspicious command lines.


The human layer: awareness still matters

Many MSHTA-driven attacks start the same way most breaches do:

  • A convincing email

  • A link to a “document”

  • A user rushing between meetings

Quick wins that reduce this risk:

  • Regular phishing awareness reminders (short and practical beats long and ignored)

  • Clear guidance: “If a file prompts you to enable content/run something—pause and ask”

  • Tight controls on script execution where appropriate (PowerShell, WSH, macros)

Security works best when your people aren’t expected to “guess” what’s safe.


Need a second opinion on your endpoint hardening?

If you’re a Perth business and you’re not sure whether MSHTA is still allowed—or how to block it safely without breaking legitimate workflows—we help businesses with this every week.

If this sounds familiar, message us and we’ll point you in the right direction (or help you implement it properly across your fleet).

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
22 January 2026
5 min read
ITSupportPerth
CyberSecurity
Microsoft365
Intune
ManagedIT

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
Stop Guessing About Cyber Attacks – Here's the Reality
Intune
ManagedIT

Stop Guessing About Cyber Attacks – Here's the Reality

Discover why 95% of cyber breaches start with email clicks, not hackers – and how Perth businesses can stop them. Learn simple Microsoft 365 Conditional Access setup with MFA, Intune, and report-only mode for secure access without downtime. Get our expert fix now.

5 min read
1/19/2026