The Zero-Click Credential Heist: How a Simple Image File Can Empty Your Domain Admin Accounts

Listen to this Post

Featured Image

Introduction:

A new, highly sophisticated attack vector is exploiting Microsoft Office’s legacy document embedding capabilities to execute zero-click credential theft. Unlike traditional malware that requires user interaction, this threat leverages a seemingly harmless Rich Text Format (RTF) file containing a packaged OLE object, which automatically triggers a connection to a remote server upon simply being opened or, in some cases, even previewed in the Windows File Explorer pane. This technique bypasses macro security and uses a trusted Windows protocol to steal NTLMv2 hashes, which can then be cracked or relayed for immediate domain compromise.

Learning Objectives:

  • Understand the mechanics of the OLE embedding and SMB hash theft attack chain.
  • Learn to detect and block malicious RTF files at the network and endpoint level.
  • Implement mitigation strategies to prevent NTLMv2 relay and cracking attacks.

You Should Know:

1. The Anatomy of the Malicious RTF File

The core of this attack lies in a deceptively simple RTF document. The file contains a hidden OLE (Object Linking and Embedding) object that is programmed to automatically retrieve its data from a remote, attacker-controlled server. The magic of the `\\objupdate` control word is what makes this attack “zero-click.” When a vulnerable version of Word processes the document, it does not wait for the user to double-click an icon; it immediately attempts to update the embedded object by connecting to the specified remote server using the Server Message Block (S3) protocol. This automatic network authentication is the critical failure point, as it sends the user’s NTLMv2 hash directly to the attacker.

2. How the Attacker Captures Your Credential Hash

Once the victim’s machine initiates the SMB connection to the attacker’s server, the handshake process begins. The attacker’s machine, running a tool like `responder` or impacket-smbserver, does not need to authenticate legitimately. Instead, it captures the NTLMv2 challenge-response exchange. This hash is not the plaintext password, but it is cryptographically derived from it and is vulnerable to offline brute-force attacks.

Attacker’s Command (Linux):

 Start Responder to listen on the network interface and capture hashes
sudo responder -I eth0 -wrf

Step-by-step guide:

  1. The attacker configures a tool like `responder` on a machine within the network or sets up a public server.
  2. They craft the malicious RTF file with the OLE object pointing to their server’s IP address (e.g., \\192.168.1.100\malicious\file).
  3. The file is delivered via phishing email or a malicious download link.
  4. When the victim opens the file, their system sends an SMB authentication request to the attacker’s IP.
    5. `Responder` captures the NTLMv2 hash, which will look something like Username::Domain:Challenge:NTProofStr:Response.
  5. This hash is saved to a file for offline cracking.

3. Cracking the Captured NTLMv2 Hash

With the hash in hand, the attacker’s next step is to recover the plaintext password. This is done using powerful brute-forcing or wordlist attacks. Tools like `hashcat` leverage GPU acceleration to test billions of password candidates per second.

Attacker’s Command (Linux with Hashcat):

 Crack the captured hash using the rockyou.txt wordlist
hashcat -m 5600 captured_hashes.txt /usr/share/wordlists/rockyou.txt -O -w 3

Step-by-step guide:

  1. The attacker transfers the captured hash file from `responder` to a machine with a powerful GPU.
  2. They identify the correct hash mode for Hashcat; `5600` corresponds to NTLMv2.
  3. Using a large wordlist (like rockyou.txt), Hashcat computes the NTLMv2 hash for each password and compares it to the captured one.
  4. If the user’s password is weak or found in the wordlist, Hashcat will display the cracked plaintext password, often in a matter of seconds or minutes.

5. The attacker now has valid domain credentials.

4. Lateral Movement with Pass-the-Hash

Even without cracking the password, the attacker can often use the NTLM hash itself for lateral movement. This is known as a Pass-the-Hash (PtH) attack. Many services and systems accept the hash as a valid credential, eliminating the need to ever know the plaintext password.

Attacker’s Command (Linux with Impacket):

 Use the captured NTLM hash to execute a command on a remote machine
python3 psexec.py 'DOMAIN/[email protected]' -hashes 'LMhash:NThash' -codec cp850

Step-by-step guide:

  1. The attacker uses the `secretsdump.py` tool from the Impacket suite to dump hashes from the initially compromised machine, potentially revealing a local administrator password.
  2. They discover other machines on the network where the same local admin password is used.
  3. Using the `psexec.py` script and the captured hash, they authenticate to the next machine and gain a command shell.
  4. This process repeats, allowing them to traverse the network, potentially escalating to a Domain Admin account.

5. Network-Based Detection with Wireshark

Security teams can detect this attack by monitoring network traffic for suspicious SMB connections originating from client workstations.

Analyst’s Wireshark Filter:

 Filter for SMB traffic from a specific client IP to an external IP
ip.src == 10.1.1.50 and nbns and ip.dst != 10.1.1.0/24

Step-by-step guide:

  1. Capture traffic on a network span port or use an Endpoint Detection and Response (EDR) agent.
  2. Apply a filter for NetBIOS Name Service (NBNS) or SMB protocol traffic from an internal IP to an unknown external IP address.
  3. Look for TCP `SYN` packets from a client to a suspicious IP on port 445, followed by SMB session setup requests.
  4. Correlate this activity with the user who opened a suspicious file around the same timestamp.

6. Endpoint Hardening: Disabling NTLM and SMBv1

The most effective mitigation is to disable the vulnerable legacy protocols altogether. Modern networks should use Kerberos authentication and SMBv3.

Windows Group Policy (via PowerShell):

 Disable NTLM authentication on a domain level via GPO
 Navigate to: Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
 Set "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" to "Deny All"

Disable SMBv1 on a single machine (requires reboot)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

Step-by-step guide:

  1. On a Domain Controller, open the Group Policy Management Console.
  2. Edit the relevant GPO and navigate to the Security Options section.
  3. Find the policies related to NTLM and configure them to audit or deny outgoing NTLM traffic.
  4. To disable SMBv1, use the PowerShell command above or deploy a GPO that sets the `EnableSMB1Protocol` registry key to 0.
  5. Test applications thoroughly to ensure compatibility before full enforcement.

7. Application Control and Attachment Filtering

Preventing the initial delivery and execution of the malicious file is crucial. This can be achieved through stringent email filtering and application whitelisting.

Microsoft 365 Defender for Office 365 / Exchange Online Protection:
Enable Safe Attachments policies to route all email attachments to a detonation sandbox before delivery.
Create mail flow rules to block emails with RTF attachments or those containing specific OLE control words.

Windows Application Control with AppLocker / WDAC:

<!-- A sample WDAC policy rule to block untrusted Word processes -->
<Rule Type="Publisher" Id="...">
<Conditions>
<FilePublisherCondition PublisherName="" ProductName="Microsoft Office" BinaryName="WINWORD.EXE"/>
</Conditions>
</Rule>

Step-by-step guide:

  1. In your email security gateway, create a rule that blocks or sandboxes files with `.rtf` extensions.
  2. Implement application control policies like AppLocker or Windows Defender Application Control (WDAC) to restrict which applications can run.
  3. Configure policies to allow only signed, trusted versions of `winword.exe` to execute, preventing weaponized documents from spawning malicious processes.

What Undercode Say:

  • The attack surface has shifted from user-executed code to abused, trusted functionality. The “zero-click” aspect is a game-changer, reducing the attacker’s reliance on social engineering.
  • Defense-in-depth is non-negotiable. Relying solely on endpoint antivirus or user training is insufficient against these file-format exploits. A combination of network segmentation, protocol hardening, application control, and robust monitoring is required.

This attack demonstrates a clear evolution in credential access techniques. Attackers are moving away from noisy exploits and towards “quieter” methods that abuse intended features of the Windows ecosystem. The simplicity and effectiveness of forcing an SMB connection make this a persistent threat. For blue teams, this underscores the critical importance of disabling legacy protocols like NTLM and SMBv1, which have long been identified as security risks. The fact that such attacks are still viable highlights the challenges of maintaining backward compatibility in enterprise environments.

Prediction:

The success of this OLE-based zero-click attack will catalyze a new wave of file-format exploitation. We predict a rise in weaponized documents targeting other embedded object types and protocols beyond SMB, such as HTTP(s) for web-based authentication theft or even cloud storage APIs. Furthermore, as Microsoft continues to harden Office and Windows, attackers will pivot to targeting other popular document viewers and productivity suites that may have similar legacy support for dynamic content retrieval. The principle of “abusing trust without a click” will become a foundational tactic in the initial access playbook, making application control and protocol-level security more critical than ever.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Activity 7392976361209987072 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky