Exploiting Microsoft Access "Linked Table" Feature for NTLM Forced Authentication Attacks
Originally Published 2 years ago — by Check Point Research
Researchers at Check Point have discovered a method to abuse the "Linked Table" feature in Microsoft Access, allowing attackers to perform NTLM forced authentication attacks. By tricking victims into opening a specially crafted .accdb or .mdb file, the attacker can leak the victim's NTLM tokens to an attacker-controlled server via any TCP port, bypassing firewall rules designed to block NTLM information stealing. NTLM is an outdated authentication protocol with known vulnerabilities, including brute-force attacks, pass-the-hash attacks, and relay attacks. Check Point recommends blocking outbound traffic through ports 139 and 445, disabling macros in MS-Access, and avoiding opening attachments from unsolicited sources to mitigate the risk.