NTLM authentication hashes are stolen during phishing attacks by hackers

As a result of a recent shift in tactics, the hacking group known as TA577 has employed phishing emails to steal the authentication hashes of NT LAN Manager (NTLM) accounts in order to use them for account hijackings. The NTLM hash is a key component of Windows authentication and session security and can be used for offline password cracking to obtain plaintext passwords. They can also be used in “pass-the-hash” attacks that do not involve cracking at all, where the attackers use the hash as it is to authenticate to a remote server or service without cracking.

An effective measure is to configure a firewall to block all outbound SMB connections, stop NTLM hashes from being sent, and implement email filtering to block messages containing zipped HTML files, as these can trigger unsafe endpoint connections when launched. To prevent sending NTLM hashes, you can also configure ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers’.