Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability

name: "Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability"
description: "Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations."
references:
  - "https://cti.monster/blog/2025/03/18/CVE-2025-24071.html"
  - "https://github.com/0x6rss/CVE-2025-24071_PoC"
type: "rule"
severity: "critical"
source: |
  type.inbound
  and any(attachments,
          // handle directly attached files first
          (
            .file_extension == "library-ms"
            // and contains a url with the \\
            and strings.icontains(file.parse_text(.).text, '<url>\\')
          )
          // handle library-ms files inside of archives
          or (
            .file_extension in $file_extensions_common_archives
            and any(file.explode(.),
                    // the exploded archive contained a file with the library-ms extension
                    .file_extension == "library-ms"
                    // and the strings in that file contain the required url variable
                    and any(.scan.strings.strings, strings.contains(., '<url>\\'))
            )
          )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Scripting"
  - "Macros"
  - "Exploit"
detection_methods:
  - "Archive analysis"
  - "Content analysis"
  - "File analysis"
id: "2e69fa0b-6dc7-50f3-b027-2f28141e70a4"