Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook

Vendor: Microsoft

Vendor URL:

Systems Affected: Microsoft Outlook

Author: Soroush Dalili

CVE Identifiers:,

Risk: Medium – Possible SMB Hash Hijacking or User Tracking


Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally, or to receive a notification when an email had been viewed by a victim.

This issue was exploited using Outlook default settings that blocked loading external resources such as image files.


Emails that are received in Outlook can contain malicious HTML contents.


Attackers could obtain victims’ SMB hash to crack their password when the SMB hash was allowed to be sent externally (default setting). Alternatively, active email addresses could be enumerated as notification could be sent to attackers without victims’ consent when an email was viewed.


A number of URI schemes and URI patterns were identified that could be used in a number of HTML tags to bypass restrictions of Outlook default settings that blocked the “” pattern URLs and loading external resources such as image files.

The following blog post include the details of the identified payloads:


Apply patches for CVE-2017-8572 (July 2017) and CVE-2017-11927 (May 2018).

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.

Written by:  Soroush Dalili

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: