document contains image to 401 err page of another domain. This leads to potential security flow 'cause some1 can steal your credentials .

Chrome prevents this attack , but NBT doesn't

if you see 401 webauth request now - your browser almost protected against such attacks but users may not notice that ANOTHER Domain is requesting his/her credentials and therefore it can be stolen if user inputs them.