The issue affects the search: handler used by Windows Explorer to process desktop search requests. A malicious link can direct the handler towards an attacker-controlled network path, causing the victim’s system to attempt authentication over SMB and transmit a Net-NTLMv2 hash before an error message appears. The attack requires user interaction, but researchers say it does not require malware installation, administrative privileges, developer mode, or complex exploitation.
The disclosure has drawn attention because the behaviour closely resembles a Windows Snipping Tool NTLM leakage bug patched on 14 April 2026 as CVE-2026-33829. That flaw carried a CVSS 3.1 score of 4.3 and was classified as moderate severity. The newly described Windows Search variant has not been assigned a CVE and was closed by Microsoft as below the servicing threshold, leaving administrators to rely on mitigations rather than a vendor patch.
The attack chain centres on Windows URI handlers, which allow applications and browsers to invoke local operating-system functions through specially formatted links. In this case, the search: handler accepts parameters that can reference a Universal Naming Convention path. When the path points to a remote SMB share controlled by an attacker, Windows may initiate NTLM authentication automatically. The exposed Net-NTLMv2 hash is not a plaintext password, but it can be used in relay attacks or subjected to offline cracking, depending on password strength and network controls.
Testing published by researchers showed that a standard Windows 11 Pro system could leak the hash after a single click in Microsoft Edge. The first invocation after logon was enough to trigger the exposure. The user received an access-denied style message only after the credential material had already left the device. That sequencing is significant for phishing scenarios because the victim may dismiss the prompt as a broken link while the attacker has already captured a usable authentication artefact.
The disclosure timeline places the finding in the weeks after Microsoft’s April patch for the Snipping Tool weakness. The Search handler issue was reported to Microsoft on 15 April 2026, reactivated after initial pushback, and later assessed as moderate severity. Researchers were told that only important and critical issues typically meet Microsoft’s threshold for immediate servicing, though exceptions can be made. The Snipping Tool case was treated as such an exception; the Search handler case was not.
Security teams are likely to view that distinction with caution because both weaknesses sit in the same broader class of NTLM coercion. The attack does not give an intruder direct control of a system on its own, but it can supply a foothold for follow-on activity in environments where outbound SMB is permitted, NTLM remains enabled, SMB signing is not enforced, or privileged users reuse weak passwords.
Windows Search protocol abuse is not new. Threat actors have previously used search-ms: and related handlers in phishing campaigns to make remote files appear inside familiar Windows Explorer search windows, often disguising malicious shortcuts as trusted documents. The new disclosure adds a credential-leakage dimension to a feature already known to be attractive for social engineering because it blends browser activity with native desktop behaviour.
The risk is higher for corporate networks that still allow workstations to initiate outbound SMB connections to the internet. Attackers can exploit that gap through email links, messaging platforms, compromised websites, or HTML content designed to trigger the handler. While modern browsers and mail gateways may block some suspicious URI schemes, defensive coverage is uneven, especially where older allow-lists or incomplete detection rules focus only on search-ms: and ignore search:.
Mitigation advice is now focused on reducing NTLM exposure across the environment. Blocking outbound SMB over TCP ports 445 and 139 from endpoints that do not require it is the most direct control. Enforcing SMB signing can limit relay opportunities, while disabling or restricting NTLM reduces the value of captured hashes. Organisations are also being urged to monitor mail, proxy and endpoint logs for search: and search-ms: links, which rarely have legitimate business use in external communications.
Administrators should treat the issue as part of a wider credential-leakage pattern rather than an isolated Windows Search flaw. Patch-based programmes that rely only on CVE feeds may miss moderate-rated behaviours that vendors do not service immediately. That creates a visibility gap for security teams, particularly where similar URI handler bugs are grouped as social-engineering risks despite their ability to trigger automatic authentication.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
