The Windows operating system allows you to create your own skins and share them through the settings interface. When the user saves a theme, a file with the extension “.theme” is created. If he decides to share his theme with someone, then it will be packed into a file with the “.deskthemepack” extension, which can be sent by email or in some other way.

Similarly, attackers can create “.theme” files that, when opened, will redirect users to a website that requires authentication. When users enter their information, an NTLM hash is sent to the site. User credentials can be extracted from it using special software.

One way to protect against such attacks is to find and block files with the extensions “.theme”, “.themepack” and “.desktopthemepackfile”. You can also use Group Policy to restrict the sending of hashed NTLM credentials to remote hosts.

The researcher notes that he reported the problem to Microsoft, but the developers still have not fixed it. Microsoft representatives have not yet commented on this issue.