This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

Windows password login field

The security research team at Rhino Labs, a US-based cyber-security company, has discovered that malicious actors can use a lesser-known Microsoft Word feature called subDoc to trick Windows computers into handing over their NTLM hashes, the standard format in which user account credentials are stored.

At the heart of this technique is a classic NTLM pass-the-hash attack, which has been known about for years. What’s different, according to Rhino Labs, is the way this can be carried out, via a Word feature called subDoc that allows Word files ” to load sub-documents from a master document.”

How the subDoc attack works

Rhino Labs experts say that attackers can put together a Word file that loads a sub-document from a malicious server.

Attackers can host a malicious SMB server at the other end of this request, and instead of delivering the requested sub-document, they trick the victim’s PC into handing over the NTLM hash needed for authentication on a fake domain.

There are numerous tools available online for cracking NTLM hashes and obtaining the Windows credentials within. Attackers can then use these logins to access the victim’s computer or network, posing as the original user.

This type of hack is ideal for spear-phishing campaigns aimed at high-value targets, such as enterprises or government agencies.

subDoc joins the ranks of DDE, Equation Editor, others

The attack is somewhat similar to other techniques such as using SCF files and SMB requests to trick Windows into handing over NTLM hashes, as described by Columbian security researcher Juan Diego or cyber-security firm DefenseCode.

This is also not the first attack method that abuses a lesser-known Microsoft Word feature. Other techniques include using the Microsoft Dynamic Data Exchange (DDE) feature or the old Office Equation Editor.

Currently, detection of subDoc attacks is problematic.

“As this feature has not been recognized publicly as an attack vector for malicious actions, it is not something that is recognized by anti-virus software,” Rhino Labs says, highlighting that none of the antivirus engines on VirusTotal detected Word documents weaponized via the subDoc method.

Microsoft has recently disabled DDE support in Word because of repeated abuse from malware distributors. The fate of subDoc is unknown because this feature is not that useful for regular malware distribution campaigns and might not garner the same attention from Microsoft that DDE attacks have.

Rhino Labs has also released a tool for generating subDoc-weaponized Word files so that system administrators and security researchers can carry out their own tests. The tool is named SubDoc Injector, is available on GitHub, and was authored by former LulzSec member Hector “Sabu” Monsegur, now part of the Rhino Labs team. Rhino Labs has also published a technical post with a step-by-step reproduction of the subDoc attack.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,