Proxying Your Way to Code Execution – A Different Take on DLL Hijacking 

This blog describes a DLL proxying technique enabling low-privilege attackers to run malicious code inside trusted processes (Outlook, Teams, msedge, etc.) by abusing writable AppData DLLs or HKCU COM registry entries; it includes discovery methodology, proof-of-concepts, an automation tool (FaceDancer), weaponization details (delayed execution in DllMain and Cobalt Strike payloads), and notes that Microsoft acknowledged the findings but declined to patch them.