An attacker who captures a user's NTLMv2 hash — through a single malicious link click in email, chat, or a web page — can authenticate to internal systems as that user without ever knowing their password. For organizations using Windows in Active Directory environments, this can escalate to domain administrator access if a privileged account is targeted, putting file servers, email, financial systems, and backups at risk. Microsoft will not issue a fix, meaning this exposure is permanent until the organization deploys compensating controls, and any gap in those controls constitutes an ongoing, unmitigated credential theft risk that regulators and cyber insurers will ask about directly.
You Are Affected If
You run any supported version of Microsoft Windows (Windows 10, Windows 11, Windows Server 2016/2019/2022/2025) in a domain-joined or standalone enterprise environment
Outbound SMB traffic (TCP 445) from workstations to external internet IPs is not blocked at your perimeter firewall or internal segmentation controls
NTLM authentication is enabled in your environment (the default for all Windows deployments not explicitly configured for Kerberos-only)
Users can open email, browse the web, or access documents that contain hyperlinks — no additional software or privilege is required for exploitation
You have not deployed registry-level restrictions on the 'search:' or 'ms-search:' URI protocol handlers and have not enforced SMB signing enterprise-wide
Board Talking Points
Microsoft has declined to fix a known Windows security weakness that lets an attacker steal employee login credentials with a single malicious link click, affecting every Windows computer in our environment.
We are implementing firewall blocks and authentication policy changes this week to close the exposure without waiting for a vendor patch — these controls need to be validated and tracked as permanent compensating measures.
If we take no action, any employee who clicks a crafted link in an email or web page could expose their credentials to an attacker, potentially giving that attacker access to internal systems and sensitive data with no further barriers.
HIPAA — NTLMv2 hash capture targeting domain accounts can expose access to systems containing electronic protected health information (ePHI); credential compromise is a reportable risk under HIPAA Security Rule §164.312(d)
PCI-DSS — If Windows workstations are in or connected to the cardholder data environment (CDE), NTLM credential theft creates a direct path to systems in scope under PCI-DSS Requirement 8 (Identify and Authenticate Access) and Requirement 10 (Log and Monitor)
