Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability

 1name: "Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability"
 2description: "Detects a Windows library file (.library-ms) containing a network path, either as a direct attachment or within an archive. This file type can be used to cause Windows to send NTLM hash to malicious network locations."
 3references:
 4  - "https://cti.monster/blog/2025/03/18/CVE-2025-24071.html"
 5  - "https://github.com/0x6rss/CVE-2025-24071_PoC"
 6type: "rule"
 7severity: "critical"
 8source: |
 9  type.inbound
10  and any(attachments,
11          // handle directly attached files first
12          (
13            .file_extension == "library-ms"
14            // and contains a url with the \\
15            and strings.icontains(file.parse_text(.).text, '<url>\\')
16          )
17          // handle library-ms files inside of archives
18          or (
19            .file_extension in $file_extensions_common_archives
20            and any(file.explode(.),
21                    // the exploded archive contained a file with the library-ms extension
22                    .file_extension == "library-ms"
23                    // and the strings in that file contain the required url variable
24                    and any(.scan.strings.strings, strings.contains(., '<url>\\'))
25            )
26          )
27  )  
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Scripting"
32  - "Macros"
33  - "Exploit"
34detection_methods:
35  - "Archive analysis"
36  - "Content analysis"
37  - "File analysis"
38id: "2e69fa0b-6dc7-50f3-b027-2f28141e70a4"