Windows ‘Search’ Flaw Lets Hackers Steal NTLMv2 Hashes With a Single Link
A newly disclosed, unpatched flaw in Windows’ built‑in search URI handler lets attackers steal NTLMv2 password hashes simply by luring victims into clicking a crafted link. For corporate networks already under pressure from state‑backed and criminal actors, the bug opens a fresh path for relay attacks and lateral movement — until Microsoft ships a fix.
Corporate Windows networks are facing a new, unpatched security gap that turns something as mundane as clicking a link into a potential credential theft. A flaw in the operating system’s built‑in search URI handler allows attackers to siphon off NTLMv2 password hashes, opening the door to relay attacks that can give intruders deeper access across an organization.
Security researchers disclosed on 3 June that a previously unknown vulnerability in Windows’ “search:” URI mechanism can be abused to make a victim’s machine automatically attempt to authenticate to an attacker‑controlled server. When a user clicks a crafted link — in an email, chat, document, or web page — Windows can be tricked into sending the user’s NTLMv2 authentication hash to a remote host without further interaction. Those captured hashes are not plaintext passwords, but they can be used in so‑called relay attacks or, in some cases, cracked offline, giving attackers a foothold inside corporate domains.
For employees, the risk is invisible. They may see only a link that appears to trigger a search or open a file, unaware that in the background their computer is reaching out to a hostile server and leaking authentication material. Because the flaw abuses core Windows behavior rather than a specific application, it can be exploited through many channels: phishing emails, instant‑messaging platforms, malicious documents, or even QR codes posted in physical locations.
For security teams and IT departments, the stakes are significant. NTLM hashes are often a stepping stone in targeted intrusions: once attackers capture and relay them, they can impersonate users to access internal web applications, file shares, or other services that accept NTLM authentication. From there, skilled adversaries can move laterally, escalate privileges, and plant more persistent backdoors. Organizations that rely heavily on Windows domains, especially those already in the crosshairs of state‑backed or financially motivated groups, now face an additional, easy‑to‑weaponize vector.
Strategically, the bug lands at a time when Western governments are warning of heightened cyber activity by Russian, Chinese, Iranian, and North Korean actors, and as many enterprises are still wrestling with legacy authentication protocols. NTLM remains deeply embedded in countless environments despite years of guidance to migrate toward Kerberos and modern, token‑based authentication. A single, unpatched weakness in how Windows handles “search:” links can therefore have outsized impact, providing a low‑friction way to harvest credentials at scale.
The vulnerability is particularly attractive to attackers because it does not require them to compromise infrastructure inside the target network first. They can operate from internet‑facing servers, send lures en masse, and wait for users to take the bait. Even security‑conscious employees who avoid opening suspicious attachments may not recognize the danger in what looks like a simple search link.
Key Takeaways
- A newly disclosed, unpatched flaw in Windows’ built‑in “search:” URI handler can be abused to steal NTLMv2 authentication hashes when a user clicks a crafted link.
- Captured hashes can be used in relay attacks to impersonate users inside corporate networks and gain access to internal services.
- The vulnerability is application‑agnostic, making it exploitable via email, chat, documents, and other mediums that can carry links.
- Organizations that still rely heavily on NTLM are especially exposed, as the flaw taps into a long‑standing but difficult‑to‑replace authentication protocol.
- Until Microsoft releases a patch, mitigations depend on configuration changes, network controls, and user awareness.
Outlook & Way Forward
In the short term, defenders will need to lean on mitigation rather than a definitive fix. That may include blocking outbound SMB traffic to untrusted IP ranges, restricting or unregistering the vulnerable URI handler where feasible, tightening email and web‑filtering policies around “search:” links, and monitoring for unusual NTLM authentication patterns that could indicate hash capture or relay attempts.
Over the longer term, the incident will add momentum to efforts to phase out NTLM where possible and to adopt multi‑factor authentication and more modern identity protocols. But those transitions are complex and slow, especially in large or legacy‑heavy environments.
Adversaries, meanwhile, are likely to move quickly. Public disclosure of a reliable exploit path typically triggers rapid weaponization in phishing kits and by more sophisticated operators. Until Microsoft ships and widely deploys a patch, organizations that run Windows at scale should assume this flaw is being actively probed — and treat it as another reason to harden identity, not just endpoints.
Sources
- OSINT