The vulnerability (CVE-2018-0950) exploited Outlook’s unfortunate habit of retrieving remotely hosted Object Linking and Embedding (OLE) content when previewing a RTF email.

The Windows client was able to authenticate itself if that content was hosted on SMB/CIFS server.

If the SMB server was controlled by the attacker, then Windows had effectively handed over the user’s login credentials, including a hashed password, without any interaction on behalf of the user other than the email being rendered.