**Is the Preview Pane an attack vector for this vulnerability?**

No, the Preview Pane is not an attack vector.

CVE-2024-49069: Microsoft Excel Remote Code Execution Vulnerability

The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.

Source: QINQIE99 via Shutterstock

Microsoft has released fresh guidance to organizations on how to mitigate NTLM relay attacks by default, days after researchers reported finding a NTLM hash disclosure zero-day in all versions of Windows Workstation and Server, from Windows 7 to current Windows 11 versions.

However, it was not immediately clear if the two developments are related or purely coincidental in terms of timing. In any event, the bug, which doesn't yet have a CVE or CVSS score, is not expected to be patched for months.

**Windows NTLM Zero-Day Allows Credential Theft**

Researchers from ACROS Security reported finding a zero-day bug in all supported Windows versions. The bug allows an attacker to grab a user's NTLM credentials simply by getting the user to view a malicious file via the Windows Explorer file management utility.

"Opening a shared folder or USB disk with such file or viewing the Downloads folder where such file was previously automatically downloaded from attacker's Web page" is all it takes for credential compromise, Mitja Kolsek, CEO of ACROS Security wrote in a blog post.

ACROS said it would not release any further information on the bug until Microsoft has a fix for it. But Kolsek tells Dark Reading that an attacker's ability to exploit the bug depends on various factors.

"It's not easy to find where the issue is exploitable without actually trying to exploit it," he explains. Microsoft has assessed the vulnerability as being of moderate or "Important" severity, a designation that is one notch lower than "Critical" severity bugs. The company plans to issue a fix for it in April, Kolsek says.

In an emailed comment, a Microsoft spokesman said the company is "aware of the report and will take action as needed to help keep customers protected."

The bug is the second NTLM credential leak zero-day that ACROS has reported to Microsoft since October. The previous one involved a Windows Themes spoofing issue and allowed attackers a way to coerce victim devices into sending NTLM authentication hashes to attacker-controlled devices. Microsoft has not yet issued a patch for that bug either.

The bugs are among several NTLM-related issues that have surfaced in recent years including PetitPotam, DFSCoerce, PrinterBug/SpoolSample, and, recently, one affecting the open source policy enforcement engine.

**Legacy Protocol Dangers**

Windows NTLM (NT LAN Manager) is a legacy authentication protocol that Microsoft includes in modern Windows for backward compatibility purposes. Attackers have frequently targeted weaknesses in the protocol to intercept authentication requests and forward or "relay" them to access other servers or services to which the original users have access.

In its advisory this week, Microsoft described NTLM-relaying as a "popular attack method used by threat actors that allows for identity compromise." The attacks involve coercing a victim to authenticate to an attacker-controlled endpoint and relaying the authentication against a vulnerable target server or service. The advisory pointed to vulnerabilities that attackers have used previously, such as CVE-2023-23397 in Outlook and CVE-2021-36942 in Windows LSA, to exploit service that lack protections against NTLM-relaying attacks.

In response to such attacks, Microsoft has updated previous guidance on how to enable Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server, the company said. The latest Windows Server 2025 ships with EPA enabled by default for both AD CS and LDAP.

The advisory highlighted the need for organizations to enable EPA specially for Exchange Server, given the "unique role that Exchange Server plays in the NTLM threat landscape." The company pointed to CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 as examples of recent vulnerabilities that attackers have exploited for NTLM coercion purposes. "Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them," the company says.

Kolsek says it's unclear if Microsoft's advice for protecting against NTLM attacks has anything to do with his recent bug disclosure. "\[But\] if possible, follow Microsoft's recommendations on mitigating NTLM-related vulnerabilities," he says. "If not, consider 0patch," he adds, referring to the free micropatches that his company provides for vulnerabilities, especially in older and no longer supported software products.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft NTLM Zero-Day to Remain Unpatched Until April

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day.…

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day. Stay proactive and secure your business.

A newly discovered Windows zero-day vulnerability exposes users across multiple Windows versions to credential theft. Discovered by 0patch researchers, this critical security flaw allows attackers to steal NTLM credentials through a deceptive yet simple method.

****What Makes This Vulnerability Dangerous?****

**Widespread Impact**

The vulnerability affects a wide range of Windows systems, including:

*   Windows Server 2022
*   Windows 11 (up to v24H2)
*   Windows 10 (multiple versions)
*   Windows 7 and Server 2008 R2

**Exploitation Mechanism**

Technical details of the vulnerability are withheld to minimize exploitation risk until Microsoft issues a fix to minimize any further risk of exploitation. 

The vulnerability enables attackers to steal a user’s NTLM credentials by luring them into opening a malicious file in Windows Explorer.

Attackers can trigger the vulnerability through minimal user interaction:

*   Opening a shared folder
*   Accessing a USB disk
*   Simply viewing a malicious file in Windows Explorer
*   Accessing the Downloads folder with a strategically placed file

****The Broader Context of Unpatched Vulnerabilities****

This isn’t an isolated incident. The same research team has previously identified multiple unresolved Windows vulnerabilities, including:

*   Windows Theme file issue
*   “Mark of the Web” vulnerability
*   “EventLogCrasher” vulnerability
*   Three NTLM-related vulnerabilities (PetitPotam, PrinterBug/SpoolSample, and DFSCoerce)

****0patch Micropatches****

0patch is offering a free micropatch for the latest NTLM zero-day to all users registered on its platform until Microsoft releases an official fix. The security micropatch has already been automatically deployed to PRO and Enterprise accounts, except in cases where configurations explicitly block automatic updates.

“The impact on enterprises using outdated and legacy infrastructure is more significant than the simple impact on operating costs, said Jim Routh,” Chief Trust Officer at cybersecurity company Saviynt. “In this case, the obsolete authentication application (NTLM) from MS enables threat actors to steal Windows credentials potentially compromising customer experience.”

****Focusing on the proactive approach****

Automated patch management, like the protection provided to PRO and Enterprise accounts through 0patch, is a great start, but organizations need to do more. Implementing strong server-hardening strategies can add multiple layers of defence by setting consistent security configurations across all systems.

This proactive approach goes beyond simply reacting to vulnerabilities, helping businesses stay protected against threats like the recent NTLM zero-day vulnerability.

1.  Hackers Use Excel Files for Remcos RAT Variant on Windows
2.  Godot Engine Exploited for Malware on Windows, macOS, Linux
3.  Windows SmartScreen Flaw Enabling Data Theft in Stealer Attack
4.  Windows Vulnerable to Command Injection via “BatBadBut” Flaw
5.  Russian Hackers Exploit Firefox and Windows 0-Days for Backdoor

Critical Windows Zero-Day Alert: No Patch Available Yet for Users

Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.

**Introduction**

In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.  

With the release of Windows Server 2025 earlier this month, we released a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default. Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default. These security enhancements mitigate risk of of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.

**Background**

NTLM relaying is a popular attack method used by threat actors that allows for identity compromise. An NTLM relay attack typically involves two steps:

1.  Coercing a victim to authenticate to an arbitrary endpoint.
    
2.  Relaying the authentication against a vulnerable target.
    

By forwarding or relaying credentials to a vulnerable endpoint, attackers can authenticate and perform actions on behalf of the victim. This gives attackers an initial foothold for further domain compromise. To stop exploitation in its tracks, it’s essential to address the first class of issues. These vulnerabilities provide attackers with an initial primitive for exploitation. However, to comprehensively mitigate relaying attacks, we need to holistically address vulnerable services by default. Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks.

**Enabling NTLM Relay mitigations**

In the past, Microsoft observed threat actors exploiting services that lack NTLM relaying protections. These include CVE-2023-23397 (an Outlook entry point relayed against Exchange server), CVE-2021-36942 (a LSARPC entry point relayed against Active Directory Certificate Services (AD CS)), and ADV190023 (a WPAD entry point relayed against Lightweight Directory Access Protocol (LDAP)). From these instances, attackers clearly leverage relaying attacks in their campaigns.

In response to these observed NTLM relaying attacks, Microsoft released guidelines for enabling EPA on AD CS, LDAP, and Exchange Server. While this measure does help protect domains against NTLM relaying attacks, it requires manual intervention from a network administrator, which may not be feasible in all environments. Therefore, we have been working to enable NTLM relaying protections by default, which would automatically safeguard environments against such attacks.  

**Exchange Server**

It is important to note the unique role that Exchange Server plays in the NTLM threat landscape, which is why we prioritized hardening it by default. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563. While we actively fix specific instances of NTLM authentication coercion, attackers often use these vulnerabilities to relay authentication against a vulnerable server, which can lead to compromise of a victim’s account. Exchange Server can be the prime target in such cases since it is a frequently used mail provider across enterprises.  

Earlier this year, with the release Exchange Server 2019 CU 14, Exchange Server now has EPA enabled by default. Exchange Server 2016 is in extended support, and no further CUs are planned for this version. Customers using Exchange Server 2016 can enable EPA via a script.

We recognize that EPA may not be trivial to enable for all environments. A significant portion of enabling EPA by default involved supporting additional scenarios that were not compatible with EPA before. For more information on EPA enablement in your environment, refer to the guidance provided in both the security advisory and the Exchange update blog.

**AD CS and LDAP**

We are also excited to announce that the latest Windows Server 2025, which is now generally available, ships with EPA enabled by default for both AD CS and LDAP. Note that the current default setting for EPA in Server 2025 is Enabled - When Supported, to allow clients that do not support channel bindings to omit them. A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows. Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP. We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding.  

With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions. Additional changes to default EPA enablement are currently in the pipeline for more Windows services. Moving forward, we will continue our efforts to enable EPA across more services by default in future versions, aiming to eliminate this class of NTLM relay attacks entirely.

**Looking ahead: The future of NTLM**

NTLM is a legacy protocol and we have been recommending users to prepare for NTLM being disabled by default in a future version of Windows. We have also been encouraging customers to catalogue and reduce dependencies of NTLM usage and explore moving over to modern authentication protocols like Kerberos. In the interim, we are exploring various strategies to harden against NTLM attacks. A notable development is that in Windows Server 2025 and Windows 11 24H2, NTLMv1 has been removed and the more commonly used NTLM v2 is deprecated. Additionally, admins now have the option to configure SMB to block NTLM.  

The progress towards enforcing secure by default across the ecosystem is aligned with principles from Microsoft’s Secure Future Initiative. As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks. We look forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future.

The security mitigations here are a result of the tremendous work across multiple teams and organizations within Microsoft, notably, Exchange and Windows. Special thanks to Nino Bilic, Matthew Palko, and Wayne McIntyre for their help and support with this blog.

_Rohit Mothe_

_George Hughey_

_MSRC Vulnerabilities & Mitigations Team_

Mitigating NTLM Relay Attacks by Default

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Microsoft Expands Access to Windows Recall AI Feature

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.

  

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.g., “please summarize the last emails about project X”), which prompts the retrieval of relevant emails from a simulated email database. The inclusion of the attacker’s email in these retrievals varies depending on the scenario. The LLMail service is equipped with tools, and the attacker’s objective is to manipulate the LLM into executing a specific tool call as defined by the challenge design, while bypassing the prompt injection defenses in place. The challenge contains several scenarios that require the attacker to ensure that their email is retrieved by the client under certain conditions. Teams with the highest scores will win awards from a total pool of $10,000 USD. 

Since this challenge takes place in a simulated environment, submissions will not be part of Microsoft’s Zero Day Quest. However, since this is a realistic environment, the prompt injection techniques you develop might be applicable to real systems. We encourage you to apply your learnings from this challenge and participate in the Zero Day Quest!  

**What are Prompt Injection Attacks (PIA)?**

In prompt injection attacks against large language models (LLMs), an attacker crafts a specific input (prompt) designed to manipulate the behavior of the model in unintended ways. In such attacks, the attacker exploits the model’s ability to follow instructions embedded within text inputs. By embedding possibly malicious instructions within the input data, the attacker aims to bypass the model’s intended functionality, often to execute unauthorized commands, leak sensitive information, or manipulate outputs. Understanding and defending against prompt injection attacks is crucial for maintaining the security and reliability of LLM-based systems. 

**How does PIA work?**

Prompt injection attacks work by exploiting the inherent design of LLMs, which are trained to follow instructions and generate coherent and contextually appropriate responses based on the input they receive. Attackers craft inputs that include injected commands, which the model then interprets and executes as part of its response generation process. These commands can be embedded in various ways, such as through straight-forward instructions, cleverly phrased questions, statements, or code snippets that the model processes without recognizing them as injected instructions. For instance, an attacker might insert a command within a seemingly benign email message that tricks the model into performing actions like unauthorized data access or executing specific functions. The success of these attacks hinges on the model’s lack of context about the legitimacy of the instructions embedded in the input, making it crucial for developers to implement robust defenses and validation mechanisms to detect and mitigate such manipulative inputs. 

**What are the challenge scenarios and levels in LLMail-Inject?**

The LLMail-Inject challenge is structured into various scenarios based on retrieval configurations and the attacker’s objectives, resulting in a total of 40 levels. Each level is a unique combination of Retrieval-Augmented Generation (RAG) configuration, an LLM (GPT-4o mini or Phi-3-medium-128k-instruct), and a specific defense mechanism. 

Each level and scenario in LLMail-Inject tests different aspects of the LLM’s ability to withstand prompt injection attacks and aims to highlight the importance of robust defense mechanisms. 

**What defenses are included in LLMail-Inject?**

Despite prompt injection attacks being relatively new, researchers have already proposed several defenses to mitigate their effect. The LLMail-Inject challenge incorporates various state-of-the-art defenses to test the robustness of LLMs against prompt injection attacks. These include: 

*   Spotlighting \[1\]: A preventative defense that “marks” data (as opposed to instructions) that is provided to an LLM using methods like adding special delimiters, encoding data (e.g., in base64), or marking each token in the data with a special preceding token. 
    
*   PromptShield \[2\]: A black-box classifier designed to detect prompt injections, ensuring that malicious prompts are identified and mitigated. 
    
*   LLM-as-a-judge: This defense uses an LLM to detect attacks by evaluating prompts instead of relying on a trained classifier. 
    
*   TaskTracker \[3\]: Based on analyzing the model’s internal states to detect task drift, this defense extracts activations when the user first prompts the LLM and again when the LLM processes external data. It then contrasts these activation sets to detect drift via a linear probe on the activation deltas. 
    
*   Combination of all: A variant in the challenge where multiple defenses are stacked together, requiring an attack to evade all defenses simultaneously with a single prompt. 
    

**How do I participate?**

To participate in the LLMail-Inject challenge, please follow the instructions below and visit the official challenge website at LLMail-Inject.  

1.  Create a team by signing in with your GitHub account.  
    
2.  Start playing! You can make a submission through the website UI or programmatically via our competition API. 
    

If using the API for programmatic submissions: 

*   We have API documentation on the website and your API key is already injected into the example Python client. 
    
*   Your API key is also available on your user profile page. 
    
*   We have rate limits in place to ensure a great experience for all participants. The website also provides comprehensive information on how to get started, including how to configure your environment and submit your entries. This setup ensures that participants can easily join the competition and contribute, regardless of their level of experience or preferred method of interaction. 
    

**Scoring, winners, and awards**

The Contest starts at 11:00 a.m. Coordinated Universal Time (UTC) on December 9, 2024, and ends at 11:59 a.m. UTC on January 20, 2025 (“Entry Period”). If at least 10% of the levels have not been solved by at least four (4) teams on the end date listed above, we may opt to extend the challenge. Check LLMail-Inject for any updates to the schedule. 

Throughout the event, a live scoreboard will be displayed (here along with the scoring details). The challenge has a total prize pool of $10,000 USD, with awards distributed as follows:  

*   $4,000 USD for the top team 
    
*   $3,000 USD for the second-place team 
    
*   $2,000 USD for the third-place team 
    
*   $1,000 USD for the fourth-place team.  
    

The winning teams will be invited to co-present with the organizers at the IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) 2025.  

**References**

\[1\] Keegan Hines et al. Defending Against Indirect Prompt Injection Attacks With Spotlighting 

\[2\] Azure AI announces Prompt Shields for Jailbreak and Indirect prompt injection attacks 

\[3\] Sahar Abdelnabi et al. Are you still on track!? Catching LLM Task Drift with Activations 

_This challenge is co-organized by Aideen Fay\*, Sahar Abdelnabi\*, Benjamin Pannell\*, Giovanni Cherubin\*, Ahmed Salem, Andrew Paverd, Conor Mac Amhlaoibh, Joshua Rakita, Santiago Zanella-Beguelin, Egor Zverev, Mark Russinovich, and Javier Rando_

(\*: Core contributors).

Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject) 

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

131.0.2903.86

12/05/2024

131.0.6778.108/.109

CVE-2024-12053: Chromium: CVE-2024-12053 Type Confusion in V8

BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the company's Conferencing division, leading to server shutdowns and potential data theft.

****SUMMARY****

*   **BT Group Ransomware Attack**: British telecom giant BT Group’s Conferencing division was hit by a ransomware attack by Black Basta, leading to certain servers being taken offline.
*   **Stolen Data**: Black Basta claims to have stolen 500 GB of sensitive data, including financial, corporate, and personal information, and threatened to leak it unless a ransom is paid.
*   **Company Response**: BT Group stated the attack was confined to specific parts of its Conferencing platform, with core services unaffected, and is working with authorities to investigate.
*   **Black Basta’s Methods**: The group uses advanced tactics like email bombing and social engineering through platforms like Microsoft Teams to gain initial access.
*   **Global Ransomware Threat**: Black Basta has targeted over 500 organizations, affecting critical infrastructure sectors, emphasizing the need for robust cybersecurity measures.

Days after the ransomware attacks on the NHS Hospitals in the United Kingdom, British telecommunications giant BT Group has fallen victim to a ransomware attack launched by the notorious Black Basta gang. The attack specifically targeted the company’s Conferencing business division, forcing the company to take certain servers offline as a precautionary measure.

While BT Group has downplayed the severity of the attack, claiming limited impact on its services and customer data, Black Basta paints a far more alarming picture. The ransomware gang asserts that they successfully stole a staggering 500 gigabytes of sensitive information. As an evidence, the group has released screenshots of stolen documents and folder listings. 

The threat actors added BT’s btci.com and btconferencing.com domains to their data leak site, threatening to publicly release the stolen information, which includes financial, corporate, and even personal data such as passport copies, unless a ransom is paid. However, the exact amount of the ransom has not been disclosed.

BT Group has confirmed to _Hackread.com_ that it is actively investigating the incident and cooperating with relevant authorities. The company has emphasized that the attack was confined to specific elements of the Conferencing platform and that core services remain operational.

“We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated.”

“We’re continuing to actively investigate all aspects of this incident, and we’re working with the relevant regulatory and law enforcement bodies as part of our response,” BT Group’s spokesperson stated.

Black Basta has targeted over 500 organizations globally in the past two years, targeting 12 out of 16 critical infrastructure sectors, with victims including Ascension Healthcare, Hyundai Europe, Capita, Yellow Pages Canada, and Dish. 

The group, a ransomware-as-a-service (RaaS) variant emerging in 2022 after the Russian invasion of Ukraine and the downfall of Conti,  has had significant impacts on the global economy, according to the FBI and CISA’s (PDF) advisory titled “#StopRansomware: Black Basta.”

Research reveals that Black Basta, has been refining its social engineering methods. The group often initiates attacks by bombarding victims with emails from various mailing lists, creating a sense of urgency and confusion. 

“Recent techniques include email bombing—a tactic used to send a large volume of spam emails—to aid social engineering over Microsoft Teams and trick victim end users into providing initial access via remote monitoring and management (RMM) tools,” CISA’s updated advisory revealed.

This social engineering ploy often leads victims to grant remote access to their devices, allowing the hackers to deploy malware and steal sensitive information.

The incident reminds us that ransomware attacks remain a consistent threat, even for large, well-resourced organizations. Therefore, businesses must invest in advanced cybersecurity measures to protect sensitive data and maintain business continuity.

1.  **US, UK Military Social Network “Forces Penpals” Leaks PII Data**
2.  **Qilin Ransomware Leaks 400GB of NHS, Patient Data on Telegram**
3.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**
4.  **Major UK Security Provider Leaks Trove of Guard and Suspect Data**
5.  **China Suspected in Cyberattack on UK’s Ministry of Defence (MoD)**

Telecom Giant BT Group Hit by Black Basta Ransomware

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

The user would have to click on a specially crafted URL to be compromised by the attacker.

Tag

#microsoft