Update remote-calls-sam.md

added note on SAM-R component and net-ntlm hash issue

Author: martin77s

ATPDocs/deploy/remote-calls-sam.md

@@ -9,6 +9,13 @@ ms.topic: how-to
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
+> [!NOTE]
+> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
+> The new Defender for Identity sensor is not affected by this issue as it uses different detection methods.
+> 
+> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
+> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).
+
 This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries.
 
 > [!TIP]