Users` Microsoft account data or even VNP credentials are at risk of being hijacked because of a defect in Windows old authentication procedures for shared network resources.
All a crook has to do is to attach a link to a SMB resource (network share) inside a Web page or an email that is opened via Outlook. The link can be hidden inside image tags but when clicked it redirects users to a network share hosted by the attacker`s network.
The attack works if the link is accessed via Internet Explorer, Outlook or Edge. Once users access the link their computers will automatically send the attacker their Microsoft account username and password. Even though the attacker will receive the Microsoft account password as an NTLM hash, not in clear text, it is proven that these hashes are not difficult to crack.
Microsoft has known about this problem since 1997 at it has been a subject of discussion many times.
This potential threat came alongside with Windows 8 and each subsequent version as user were able to authenticate on their computers using their Microsoft accounts. The Windows accounts with machine-localized usernames and passwords were already in the past and with Windows 10 being launched the new authentication method became more and more popular.
This attack can not only send user`s Microsoft login information to the attacker but it can also indirectly leak data for other Microsoft resources as well. This is because, recently, Microsoft started linking all its online realties with the user’s same Microsoft account. According to ValdikSS from ProstoVPN, the attackers will be able to get access to many other programs and services like Xbox, Skype, Office 360, MSN, OneDrive, Azure, Bing etc.
What`s even more concerning is that is a user is using a VPN connection to surf the Internet and loads the malicious SMB resource, the attacker would be able to get their hands on the user`s VPN account credentials.
This problem has been around for 19 years now and it is still not fixed.
“Microsoft successfully fixed some issues, some other issues were half-fixed, and another ones are not fixed at all and could be exploited up to this day,” – ValdikSS explains – “The problem of transmitting account credentials to the SMB server over the internet is one of the not fixed ones.”
Users are advised to protect themselves by blocking all outgoing SMB connections (port 445) via the Windows firewall, except for local networks, but most importantly – not to use their Microsoft account for login into their computers.
