Windows NTLM token exfiltration possible with forced authentication exploits

Windows NT LAN Manager tokens could be exposed in a new attack leveraging forced authentication through a custom Microsoft Access file, The Hacker News reports. Threat actors could conduct the intrusion by exploiting Access' linked table feature by adding an .accdb file containing a remote SQL Server database link to a Microsoft Word document, a report from Check Point revealed. Opening the file and clicking the linked table would then trigger the authentication process, with the valid response delivered to the NTLM server. "This feature can be abused by attackers to automatically leak the Windows user's NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80. The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well," said researcher Haifei Li. Such an attack has emerged after Microsoft revealed plans to use Kerberos in favor of NTLM in Windows 11 in a bid to strengthen security.