Connect with us

Hi, what are you looking for?


Identity & Access

New NTLM Hash Leak Attacks Target Outlook, Windows Programs

Varonis finds one vulnerability and three attack methods that can be used to obtain NTLM hashes via Outlook and two Windows programs.

Data security firm Varonis has disclosed a new vulnerability and three attack methods for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs. 

The new vulnerability is tracked as CVE-2023-35636. It has been assigned an ‘important’ severity rating by Microsoft, which fixed it with its December 2023 Patch Tuesday updates. The remaining issues have been assigned a ‘moderate’ severity rating and currently remain unpatched, Varonis said. 

NTLM v2 is a protocol used to authenticate users to remote servers. An NTLM v2 hash of a user’s password can be valuable for malicious actors as they could either launch a brute-force attack and obtain the plaintext password, or they could use the hash directly for authentication.

Varonis showed that an attacker could exploit CVE-2023-35636 to obtain NTLM hashes by sending a specially crafted email to the targeted Outlook user.

The vulnerability leverages a calendar sharing function in Outlook. The attacker needs to send an email containing two specially crafted headers: one informs Outlook that the message contains sharing content and the other points the victim’s Outlook session to a server controlled by the attacker. 

If the victim clicks on ‘Open this iCal’ in the malicious message, their device attempts to obtain the configuration file from the attacker’s server, with the NTLM hash getting exposed during the authentication process. 

Another way of obtaining the NTLM v2 hash is by abusing the Windows Performance Analyzer (WPA) tool, which is often used by developers. Varonis researchers discovered that a special URI handler is used to process WPA-related links, but it attempts to authenticate using NTLM v2 over the open internet, which exposes the NTLM hash. 

This method involves sending an email that contains a link designed to redirect the victim to a malicious WPA payload on a site controlled by the attacker.

Advertisement. Scroll to continue reading.

The remaining two attack methods uncovered by Varonis involve abuse of the Windows File Explorer. Unlike WPA, which is mainly found on the machines of software developers, File Explorer is present on every Windows computer. 

There are two variations of the File Explorer attack, both involving the attacker sending a malicious link to the targeted user via email, social media or other channels. 

“Once the victim clicks the link, the attacker can obtain the hash and then try to crack the user’s password offline,” Varonis explained. “Once the hash has been cracked and the password obtained, an attacker can use it to log on to the organization as the user. With this payload, the explorer.exe will try to query for files with the .search-ms extension.”

Related: Russian APT Used Zero-Click Outlook Exploit

Related: Microsoft Patches Another Already-Exploited Windows Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.