Attachment: Link file with UNC path

calendar Jan 12, 2026  ·
Share on: linkedin copy

Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.

Sublime rule (View on GitHub)

 1name: "Attachment: Link file with UNC path"
 2description: |
 3    Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
 4references:
 5  - "https://twitter.com/fuzz_sh/status/1640041674058416129"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_extension in ("lnk", "url")
12          and any(file.explode(.),
13                  any(.scan.strings.strings,
14                      regex.icontains(.,
15                                      '\\\\([a-zA-Z0-9_:%.$-]+)\\([a-zA-Z0-9_:%.$-]+)'
16                      )
17                  ) // normal UNC paths
18                  or any(.scan.strings.strings,
19                         regex.icontains(.,
20                                         '%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)'
21                         )
22                  ) // percent-encoded UNC paths
23          )
24  )  
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Evasion"
29  - "LNK"
30detection_methods:
31  - "File analysis"
32id: "3b7ee0fb-3540-51b6-a5db-9b21fdd3c9af"
to-top