medium advisory March 18, 2026

NetNTLM Hash Phishing via Archive Extraction (CVE-2025-59284)

A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).

A vulnerability, tracked as CVE-2025-59284, enables attackers to capture NetNTLM hashes from Windows systems through a specially crafted archive file. This technique exploits how Windows handles file extraction, potentially forcing authentication requests to a malicious server controlled by the attacker. The vulnerability was presented at BsidesLjubljana in March 2026, suggesting recent active research and potential exploitation. The original Reddit post indicates that the Microsoft patch might…

Detection coverage 2

Detect Suspicious Outbound NTLM Authentication

medium

Detects outbound NTLM authentication attempts to non-local or unusual domains, indicative of potential NTLM relay or credential theft attacks.

sigma tactics: credential_access techniques: T1187 sources: network_connection, windows

Detect UNC Path in Archive Files

low

Detects archive files containing UNC paths, which could be used to trigger NTLM authentication to a malicious server.

sigma tactics: initial_access techniques: T1566.001 sources: file_event, windows

Detection queries are kept inside the platform. Get full rules →