When "Moderate" Means "Sometimes"
Researchers disclosed an unpatched NTLM coercion vulnerability in the Windows search: URI handler that allows attackers to steal Net-NTLMv2 hashes via a malicious link or command execution. Despite sharing the same severity and underlying mechanism as a recently patched Snipping Tool vulnerability (CVE-2026-33829), Microsoft declined to service this flaw. Defenders must rely on environmental mitigations like blocking outbound SMB and restricting NTLM traffic to prevent exploitation.
Detection / HunterGoogle
What Happened
A security researcher found a flaw in Windows that allows attackers to steal a user's login hash just by having them click a specially crafted link. This affects the Windows "search:" feature, which automatically tries to connect to an attacker-controlled server without any warning prompts. Because Microsoft has decided not to fix this specific issue, computers remain vulnerable to this trick. Organizations should block outbound file-sharing traffic (SMB) to the internet and monitor for suspicious links containing "search:" or "search-ms:" to protect themselves.
Key Takeaways
- An unpatched NTLM coercion vulnerability exists in the Windows search: URI handler via the crumb=location: parameter.
- The vulnerability can be triggered without user prompts via a simple browser link click or command-line execution.
- Microsoft rated the vulnerability as Moderate but declined to patch it, stating it falls below their servicing bar.
- Both search: and search-ms: handlers share the same COM activation path (SearchExecute), making both viable attack vectors.
- Blocking outbound SMB (TCP/445) and enforcing SMB signing are the most effective mitigations.
Affected Systems
- Windows 11 (tested on 25H2 Pro, Build 26200.8524)
- Windows Explorer (ExplorerFrame.dll)
Vulnerabilities (CVEs)
- CVE-2026-33829
Attack Chain
An attacker delivers a malicious link using the search: URI handler with a crumb=location: parameter pointing to an attacker-controlled SMB share. When the victim clicks the link or executes it via the command line, Windows Explorer processes the URI through the SearchExecute COM class. This triggers an automatic outbound SMB connection to the specified share without user prompting. The attacker's server captures the victim's Net-NTLMv2 hash for offline cracking or NTLM relay attacks.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide ready-to-use detection rules, but recommends alerting on search: and search-ms: URIs in mail flow and proxy logs.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can see cmd.exe launching the URI or Explorer.exe making outbound SMB connections, but may lack visibility into URI handler clicks inside browsers without specific network or browser telemetry. Network Visibility: High — Outbound SMB traffic (TCP 445) to external or untrusted IPs is highly visible in network telemetry and firewall logs. Detection Difficulty: Moderate — Detecting the URI in email/proxy logs is straightforward via regex, but distinguishing malicious outbound SMB from legitimate internal SMB requires good network zoning and baseline knowledge.
Required Log Sources
- Proxy logs
- Email gateway logs
- Network flow logs
- Process creation logs (Event ID 4688 / Sysmon Event ID 1)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Users clicking malicious search URIs will generate outbound SMB traffic to external IP addresses. | Network flow logs, Firewall logs | Credential Access | Low (Outbound SMB to the internet should generally be blocked and is rarely legitimate) |
| Attackers may attempt to trigger the URI handler via command line execution using the start command. | Process creation logs | Execution | Low (Legitimate users rarely use the start command with search: URIs pointing to UNC paths) |
Control Gaps
- Lack of outbound SMB filtering at the perimeter
- Permissive NTLM authentication policies
Key Behavioral Indicators
- Command lines containing search: or search-ms: combined with crumb=location:
- Outbound connections on TCP 445 or 139 to non-RFC1918 IP addresses originating from explorer.exe
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate whether outbound SMB (TCP/445 and TCP/139) can be blocked at the perimeter firewall.
- Consider adding alerting or blocking rules for search: and search-ms: URIs in email gateways and web proxies.
Infrastructure Hardening
- Evaluate enforcing SMB signing across the environment to prevent NTLM relay attacks.
- Consider restricting NTLM traffic by setting RestrictSendingNTLMTraffic to 2 (Deny all), pending a thorough impact audit.
User Protection
- If supported by your web filtering solution, consider blocking navigation to search: and search-ms: URIs.
Security Awareness
- Consider educating users on the risks of clicking unusual links, even those that do not appear to be standard web URLs (HTTP/HTTPS).
MITRE ATT&CK Mapping
- T1187 - Forced Authentication
- T1204.001 - User Execution: Malicious Link
- T1550.002 - Use Alternate Authentication Material: Pass the Hash
Additional IOCs
- Command Lines:
- Purpose: Trigger NTLM coercion via the search URI handler | Tools:
cmd.exe,Windows Explorer| Stage: Execution |start "" "search:query=test&crumb=location:
- Purpose: Trigger NTLM coercion via the search URI handler | Tools:
