This exploit leverages an Information Disclosure vulnerability in Microsoft Office. By sending an email with a specially crafted link, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an HTTP server. When the client opens it in a browser, if the user is on the trusted list, it connects to the HTTP server and obtains the NTLM user hashes. This exploit does not install an agent, it manages to obtain the NTLM hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
CVE Link
Exploit Platform
Exploit Type
Product Name